Re: How the hell do you use multiple NOT values with rlm_checkval and sql??
Mike Jakubik [EMAIL PROTECTED] wrote: First of all, the above can be accomplished in SQL using the checkval module and the += OP. Thats great and dandy until you need to specify numbers that users can NOT dial to. In any case that will not work for me, as i need to do this for each group defined in SQL, not DEFAULT for all users. So add the group as an additional check item. This doesn't work quite the same in SQL, because the module doesn't support multiple entries. Yes it does, just not with a logical NOT. As I said, it's not really supported. I installed FreeRadius because it touted SQL support, now im finding out the features are limited, which is disappointing. There are few programs with unlimited features. That being said, I still think what you want is doable in FreeRADIUS. Perhaps you could try discussing the problem, rather than SQL as a solution. Odds are there's more than one way to reach the goal. If you're fixated on SQL, you may not see another solution. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type = System not working
Maillists [EMAIL PROTECTED] wrote: but I know 100% that the password is correct. What appears to be happening (determined from hours of frustrating testing) is Freeradius (rlm_unix) is looking for the users passwords in the /etc/passwd file but my /etc/passwd file doesn't contain any passwords: test:*:1003:1003:Test User:/home/test:/bin/sh my /etc/master.passwd file does: test:$1$RlHYm4Ca$QhlYcYV7BqIjTF.UQ4pTX/:1003:1003::0:0:Test User:/home/test:/bin/sh Read radiusd.conf, and look for /etc/passwd. Odds are that you enabled caching of /etc/passw. There's a reason it's not enabled by default, it doesn't work on FreeBSD. Which is explicitly documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql 5.0.22 with fr 1.1.2
while trying to compile the fr 1.1.2 with mysql 5.0.22 i got the following with rlm_sq_mysql configure: checking for mysql_config... yes checking for mysql_init in -lmysqlclient (using mysql_config)... no checking for mysql_init in -lmysqlclient... no configure: warning: mysql libraries not found. Use --with-mysql-lib-dir=path. checking for mysql.h (using mysql_config)... no checking for mysql/mysql.h... yes configure: warning: sql submodule 'mysql' disabled mysql libraries are in /opt/mysql/lib/mysql. The machine is under Solaris 8 x86. crle output says: [EMAIL PROTECTED]:/usr/local/src/freeradius-1.1.2~# crle Configuration file [3]: /var/ld/ld.config Default Library Path (ELF): /usr/lib:/usr/local/lib:/opt/mysql/lib/mysql:/usr/local/ssl/lib Trusted Directories (ELF):/usr/lib/secure (system default) And /usr/local/mysql is a symbolic link to /opt/mysql. Everything seems to be in place, but configure does not see mysql. What could be the reason? -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: configuring Freeradius server + accounting + IP address
Hello ! Hi All, I am newly joined to this group. I have started working on radius. I am facing some problems in configuring the free radius for accounting purpose and to get the IP address of MS. What do you mean by IP address of MS ? accounting setup is pretty well described in freeRadius documentation! Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] dius.org]On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, May 31, 2006 8:23 PM To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 13, Issue 145 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. RE: Session-Octets-Limits (Seferovic Edvin) 2. Re: Session-Octets-Limits (Mordor Networks) 3. 1.1.2 Build Problems - rlm_eap-1.1.2.soT - ld: skipping incompatible (Alan) 4. Re: 1.1.2 Build Problems - rlm_eap-1.1.2.soT - ld: skippingincompatible (Stefan Winter) 5. RE: 1.1.2 Build Problems - rlm_eap-1.1.2.soT - ld:skippingincompatible (Alan) -- Message: 1 Date: Wed, 31 May 2006 12:16:43 +0200 From: Seferovic Edvin [EMAIL PROTECTED] Subject: RE: Session-Octets-Limits To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Its working and the user disconnect when reachs the limit but now if the user disconnect and reconnect it will all start over is there a way to lock the account? so that the user wont be able to connect again? YES, by using sqlcounter module ! This module should count the traffic usage before user is authorized to connect. Regards, Edvin -- Message: 2 Date: Wed, 31 May 2006 14:01:28 +0300 From: Mordor Networks [EMAIL PROTECTED] Subject: Re: Session-Octets-Limits To: [EMAIL PROTECTED], FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 Do i have to patch the sqlcounter module so that it can be used for counting traffic? I have the default sqlcounter in my radius.conf sqlcounter Dailycounter and sqlcounter monthlycounter/ On 5/31/06, Seferovic Edvin [EMAIL PROTECTED] wrote: Its working and the user disconnect when reachs the limit but now if the user disconnect and reconnect it will all start over is there a way to lock the account? so that the user wont be able to connect again? YES, by using sqlcounter module ! This module should count the traffic usage before user is authorized to connect. Regards, Edvin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- next part -- An HTML attachment was scrubbed... URL: https://list.xs4all.nl/pipermail/freeradius-users/attachments/20060531/08a09 0b4/attachment-0001.html -- Message: 3 Date: Wed, 31 May 2006 09:49:19 -0400 From: Alan [EMAIL PROTECTED] Subject: 1.1.2 Build Problems - rlm_eap-1.1.2.soT - ld: skipping incompatible To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=US-ASCII When I compile the latest stable FreeRadius build version 1.1.2. I came across a few problems. I noticed the eap library file has a T appended to the end of it (rlm_eap-1.1.2.soT) and some ld warnings after running make. Please advise. ~Alan OS: Red Hat Enterprise v.3 AMD64 --- Make ld warnings: sql_mysql.c: In function `sql_error': sql_mysql.c:333: warning: return discards qualifiers from pointer target type /usr/bin/ld: skipping incompatible /usr/lib/libz.so when searching for -lz /usr/bin/ld: skipping incompatible /usr/lib/libz.a when searching for -lz /usr/bin/ld: skipping incompatible /usr/lib/libpthread.so when searching for -lpthread /usr/bin/ld: skipping incompatible /usr/lib/libpthread.a when searching for -lpthread /usr/bin/ld: skipping incompatible /usr/lib/libcrypt.so when searching for -lcrypt /usr/bin/ld: skipping incompatible /usr/lib/libcrypt.a when searching for -lcrypt /usr/bin/ld: skipping incompatible /usr/lib/libnsl.so when searching for -lnsl /usr/bin/ld: skipping incompatible /usr/lib/libnsl.a when searching for -lnsl /usr/bin/ld: skipping incompatible /usr/lib/libm.so when searching for -lm /usr/bin/ld: skipping incompatible /usr/lib/libm.a when searching for -lm /usr/bin/ld: skipping incompatible /usr/lib/libpthread.so when searching
freeradius rlm_sql driver problem-need help
Hello FR Users
Can anybody here help me out of this problem?
I installed freeradius version 1.1.1 with mysql on RH Linux Enterprise 4 ed.
I've got this result
[EMAIL PROTECTED] ~]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_users
files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded SQL
sql: driver =
/usr/local/src/freeradius-1.1.1/src/modules/rlm_sql/drivers/rlm_sql_mysql
sql: server = localhost
sql: port =
sql: login = radius
sql: password = radpass
sql: radius_db = radius
sql: acct_table = radacct
sql: acct_table2 = radacct
sql: authcheck_table = radcheck
sql: authreply_table = radreply
sql: groupcheck_table = radgroupcheck
sql: groupreply_table = radgroupreply
sql: usergroup_table = usergroup
sql: nas_table = nas
sql: dict_table = dictionary
sql: sqltrace = no
sql: sqltracefile = /usr/local/var/log/radius/sqltrace.sql
sql: readclients = no
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = %{Stripped-User-Name:-%{User-Name:-DEFAULT}}
sql: default_user_profile =
sql: query_on_not_found = no
sql: authorize_check_query = SELECT id, UserName, Attribute, Value,
opFROM radcheck WHERE Username = '%{SQL-User-Name}'
ORDER BY id
sql: authorize_reply_query = SELECT id, UserName, Attribute, Value,
opFROM radreply WHERE Username = '%{SQL-User-Name}'
ORDER BY id
sql:
Auth-Type = Reject not 'working'
hi, the recent post mentioning Auth-Type = System reminded me if I've got a Auth-Type = Reject int he users file, then when making a request with a remote RADIUS client, then the request times out when freeradius is running as a normal process daemon... on Fedora, this is running as a service with the '-y' option... however, this timeout is variable..and sometimes...just sometimes it works. however, when running freeradius is debug mode, with -X, the Reject reply message is pretty fast...though still a lot slower than an Access-Accept message for a valid user - even though the valid user is in a database or a kerberos check. I assumed that a Auth-Type := Reject was an instant hit, with no further procedures... why then, when run in debug mode, does FreeRADIUS happily reject the client request but when run as a normal process, it throws the request towards other Auth mechanisms? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql 5.0.22 with fr 1.1.2
Hi, while trying to compile the fr 1.1.2 with mysql 5.0.22 i got the following with rlm_sq_mysql configure: you did do ./configure --with-mysql-lib-dir=/opt/mysql/lib/mysql as per the output bleatings, yes? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql 5.0.22 with fr 1.1.2
Oh, sorry for flood, found the solution in the archives. http://lists.freeradius.org/mailman/htdig/freeradius-users/2003-April/017789.html [EMAIL PROTECTED] пишет: Hi, while trying to compile the fr 1.1.2 with mysql 5.0.22 i got the following with rlm_sq_mysql configure: you did do ./configure --with-mysql-lib-dir=/opt/mysql/lib/mysql as per the output bleatings, yes? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Filter attributes when proxying
Hello all Is it possible to (easily) remove single attributes sent or received when proxying? I know it can be done with attr_filter but if you only want to remove a single attribute while leaving the rest untouched, you need pass rules for every other attribute. It doesn't look like attr_rewrite can remove attributes. Am I wrong? Otherwise I think this would be a nice feature to implement. The attr_filter module can easily (I think) be changed to include a variable to control whether or not passing rules are needed to allow an attribute. Currently attributes are only allowed if they don't fail any rules in attrs and pass at least one rule: if (fail == 0 pass 0) This could be changed to something like if (fail == 0 (pass 0 || allow_no_match)) where a variable in the attrs file could control if passing rules are required. Sincerely, Martin Zuziak [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
listening interface configuration
Hi,
I am going to configure a FreeRADIUS as a RADIUS proxy. My proxy will have to
listen on a couple of ports on 2 interfaces, so I set the following
configuration in radiusd.conf:
listen {
ipaddr = IP1
port = 1812
type = auth
}
listen {
ipaddr = IP1
port = 1813
type = acct
}
listen {
ipaddr = IP2
port = 1812
type = auth
}
listen {
ipaddr = IP2
port = 1813
type = acct
}
When I start FreeRADIUS, I get the following
...
Listening on authentication IP1:1812
Listening on accounting IP1:1813
Listening on authentication IP2:1812
Listening on accounting IP2:1813
Listening on proxy IP1:1814
...
If I understand packets coming inside IP2, will be forwarded through IP1, right?
Is there a configuration solution to make packets coming inside IP2 to be
forwarded through IP1, or is FreeRADIUS limited to only one proxy ip/port?
Thank you in advance,
Geof.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy_fail_type attribute
Hi, I just get the last CVS update, and I discovered a hidden attribute in mainconfig.c, name proxy_fail_type. By reading the source code, my understanding is that setting this attribute to fail (for example) in proxy.conf, and setting the value fail for Post-Proxy-Type in dictionary.freeradius.internal, will allow FreeRADIUS to execute a module when the proxy of a request failed (no response from server or other cases). My 1st question: - Am I right (or near to the truth)? I saw that this was not shipped into 1.1.2. But this feature appeared by the end of 2004. So my 2nd and 3rd questions are: - Has anyone used or is anyone using this feature on prodcution deployement? - Is this feature planned to be shipped in 1.2.x? Thank you in advance. Geof. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type = Reject not 'working'
[EMAIL PROTECTED] wrote:
however, when running freeradius is debug mode, with -X, the Reject
reply message is pretty fast...though still a lot slower than an
Access-Accept message for a valid user - even though the valid user
is in a database or a kerberos check. I assumed that a Auth-Type := Reject
was an instant hit, with no further procedures... why then, when run
security {
# delayed_reject: When sending an Access-Reject, it can be
# delayed for a few seconds. This may help slow down a DoS
# attack. It also helps to slow down people trying to brute-force
# crack a users password.
#
# Setting this number to 0 means send rejects immediately
reject_delay = 1
}
in debug mode, does FreeRADIUS happily reject the client request but
when run as a normal process, it throws the request towards other
Auth mechanisms?
I'm not sure about *that* aspect of it. I've never seen it. But rejects
are delayed in the default config.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.1.2 eap problem
Hi ! Upgrading from 1.1.1 to 1.1.2 and now I get this error message : Thu Jun 1 12:26:22 2006 : Info: rlm_eap_tls: Loading the certificate file as a chain Thu Jun 1 12:26:22 2006 : Error: rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory Thu Jun 1 12:26:22 2006 : Error: rlm_eap_tls: Error reading Trusted root CA list Thu Jun 1 12:26:22 2006 : Error: rlm_eap: Failed to initialize type tls Thu Jun 1 12:26:22 2006 : Error: radiusd.conf[10]: eap: Module instantiation failed. Thu Jun 1 12:26:22 2006 : Error: radiusd.conf[1735] Unknown module eap. Thu Jun 1 12:26:22 2006 : Error: radiusd.conf[1722] Failed to parse authenticate section. My system is a FreeBSD 6.1-Stable - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type = Reject not 'working'
Hi, # Setting this number to 0 means send rejects immediately reject_delay = 1 i know this one - but why the change in behaviour when running in debug mode (where it all works fine - nice 1 second timeout, no checking against other Authentication methods etc) compared to running as a real service? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PPPoE server + MySQLbackend tutotrial
plz do you have totorial links to PPPoE server + MySQL backend?? strait forward and easy to understand. thanks this tool really needs Howtos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
revoking ca certificates
Hey All,Any body knows how to revoke the certificates? what changes needs to be done in the freeradius
eap.conf file.Im trying to do in the way its given in the default config file:Oopenssl command to revoke the ca-certificate:
openssl ca -gencrl -keyfile ./privatekey.pem -cert cacert.pem revoke cacert.pem -out crl.pem 1. copied ca crl to ./ directory( my ca crl files are in current directory )2. c_rehash ./
tls {...CA_file = ./cacert.pemCA_path = ./ check_crl = yes}Still the server returns success for the user.Any idea ? where am i missing the configuration?
Please reply me with your info.ThanksSumi-- If u look at what u dont have in life, u dont have anything But if u look at what u have in life, u have everything.!!
-- If u look at what u dont have in life, u dont have anything But if u look at what u have in life, u have everything.!!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
processes invoked goes defunct
Hi,
I am using freeradius 1.0.5, configured so that when a user fails the password
for X times, a mail is sent to a sysadmin.
I have added the following to modules section:
exec accept_notify {
wait = no
program = /usr/local/etc/raddb/radius_reject_notify %{User-Name} accept
%{FreeRADIUS-Proxied-To}
input_pairs = request
}
exec reject_notify {
wait = no
program = /usr/local/etc/raddb/radius_reject_notify %{User-Name} reject
%{FreeRADIUS-Proxied-To}
input_pairs = request
}
and this is my posth-auth section:
post-auth {
accept_notify
Post-Auth-Type REJECT {
reject_notify
}
}
radius_reject_notify is the bash script attached.
However, when a user log in and the script is executed, I see that the script
remains in a defunct state. After some time I see hundreds of such processes:
Output of ps -e:
13110 ?00:00:00 radius_reject_n defunct
13232 ?00:00:00 radius_reject_n defunct
13233 ?00:00:00 radius_reject_n defunct
Has someone idea why freeradius does not close correctly my script?
Thanks,
Fabio
radius_reject_notify:
#!/bin/bash
#
#Sintax:
#
#mail_notify user access type
# user: user name
# access: accept or reject
# type: accepted only if ( == FreeRADIUS-Proxied-To ) == 127.0.0.1
#
# TRY: number of retry
TRY=10
FAILED_USERS_DIR=/tmp/radius_user_fail/
MAIL_ADMINS=[EMAIL PROTECTED]
USER_RETRY=0
CURRENT_USER=$1
ACCESS=$2
failed() {
mkdir -p $FAILED_USERS_DIR
if
[ -e $FAILED_USERS_DIR/$CURRENT_USER ]
then
USER_RETRY=`cat $FAILED_USERS_DIR/$CURRENT_USER`
fi
USER_RETRY=$(( USER_RETRY + 1 ))
echo $USER_RETRY $FAILED_USERS_DIR/$CURRENT_USER
if (( USER_RETRY == $TRY ))
then
#Limit exceded!
send_mail
fi ;
}
success() {
if
[ -e $FAILED_USERS_DIR/$CURRENT_USER ]
then
rm -f $FAILED_USERS_DIR/$CURRENT_USER
fi
}
send_mail() {
HOSTNAME=`hostname`
env MAILRC=/dev/null [EMAIL PROTECTED] smtp=smtp.domain.com nail -n -s
RADIUS - Autentication failed $TRY
times $MAIL_ADMINS -END
$CURRENT_USER failed authentication for $TRY times.
END
}
case $3 in
'127.0.0.1')
case $ACCESS in
'accept')
success
;;
'reject')
failed
;;
esac
;;
esac
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP (PEAP) problems
Alan DeKok wrote: Why did you add Auth-Type = Accept to the server? It's breaking EAP. Alan DeKok. Auth-Type = EAP? A few folks had mentioned to us that using the EAP auth type was a bad idea. Why? No idea. It seems obvious, so we'll give it a shot. -- Drew Linsalata The Gotham Bus Company, Inc. Dedicated Servers and Colocation Solutions Long Island, New York http://www.gothambus.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: freeradius 1.1.1 and mysql issues
Hi, I have tried reordering the elements in the radiusd.conf file so that the database is tried first, and then commented out the section to check the users file, and I am still having the same issues. Here is the output again: Ready to process requests. rad_recv: Access-Request packet from host 10.10.1.1:1320, id=0, length=123 User-Name = simon NAS-IP-Address = 10.10.1.1 Called-Station-Id = 0014bff3dac8 Calling-Station-Id = 0013ce29c6d7 NAS-Identifier = 0014bff3dac8 NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020a0173696d6f6e Message-Authenticator = 0x68b3f01e605eb032281dd6c99dfd9e52 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = simon, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 0 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 radius_xlat: 'simon' rlm_sql (sql): sql_set_user escaped user -- 'simon' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'simon' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheckWHERE Username = 'simon' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'simon' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'simon' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'simon' ORDER BY id' rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreplyWHERE Username = 'simon' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'simon' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'simon' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [simon/no User-Password attribute] (from client linksys-434 port 56 cli 0013ce29c6d7) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 10.10.1.1 port 1320 Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 447ef7e2 Nothing to do. Sleeping until we see a request. As before, it still authenticates perfectly when I try it with either NTRadPing or radtest. Thanks again, Simon hi, you say it works okay with NTRadPing and that when you use an entry in users file it works...however in the log you supplied its still matching an entry in the users file - and the server is then happy to use that matching entry rather than one in the DB. the log you posted also shows that it is attempting to use the files method...and that the match told it to use Local authentication..the database query is then superfluous. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: freeradius 1.1.1 and mysql issues
modcall[authorize]: module sql returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [simon/no User-Password attribute] (from client linksys-434 port 56 cli 0013ce29c6d7) There is no password ? Is that okay? You can set Auth-Type to Accept if the user is found in sql ! If that is what you actually want. Regards, Edvin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP + Active directory
Am having a strange problem after my supplicant get authenticated to my active directory. My supplicant trying to get authenticated to active directory or validating identity every 60 mins, which disturbs wireless connection that bother me a lot. Is this normal or can i set the timer to authenticate every 120 mins or whatever timing i like. Am using dynamic WEP and it has been set to change the key every 6 hours. Any help will be really appreciated. Thanks in advance. Kartthik -- ___ Search for businesses by name, location, or phone number. -Lycos Yellow Pages http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: Re: freeradius 1.1.1 and mysql issues
There is a password in the database (in the radcheck table) associated with the username. I am also supplying both the username and password on my laptop as I am trying to connect. I currently have the Auth-Type being set (:=) to Local in the radgroupcheck table. I believe this should all be set up properly. Simon modcall[authorize]: module sql returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [simon/no User-Password attribute] (from client linksys-434 port 56 cli 0013ce29c6d7) There is no password ? Is that okay? You can set Auth-Type to Accept if the user is found in sql ! If that is what you actually want. Regards, Edvin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type = System not working
Alan DeKok wrote:
Maillists [EMAIL PROTECTED] wrote:
but I know 100% that the password is correct. What appears to be
happening (determined from hours of frustrating testing) is Freeradius
(rlm_unix) is looking for the users passwords in the /etc/passwd file
but my /etc/passwd file doesn't contain any passwords:
test:*:1003:1003:Test User:/home/test:/bin/sh
my /etc/master.passwd file does:
test:$1$RlHYm4Ca$QhlYcYV7BqIjTF.UQ4pTX/:1003:1003::0:0:Test
User:/home/test:/bin/sh
Read radiusd.conf, and look for /etc/passwd. Odds are that you
enabled caching of /etc/passw. There's a reason it's not enabled by
default, it doesn't work on FreeBSD. Which is explicitly documented.
Alan DeKok.
No, that isn't the cause as I have the following in radiusd.conf:
# Unix /etc/passwd style authentication
#
unix {
# allowed values: {no, yes}
cache = no
# Reload the cache every 600 seconds (10mins). 0 to
# disable.
cache_reload = 600
# This is required for some systems, like FreeBSD,
# and Mac OSX.
passwd = /etc/passwd
shadow = /etc/master.passwd
group = /etc/group
#
radwtmp = ${logdir}/radwtmp
}
I'm assuming the cache_reload=600 doesn't matter as it the cache was
disabled earlier in the code. Any other things I should check to get
Auth-Type = System working?
Shane
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Server Specs
We're going to be setting up a few new FreeRADIUS servers on virtual hardware. The server admin is asking me what I need for specs. (Virtually, they can allocate whatever I need) It's about 200-500 simultaneous authentications. (This is my prediction for the next 4 years, we're about 10 right now). Using NTLM-auth to talk to Active Directory, and performing PEAP. I'm guessing 1ghz of cpu, 512MB of RAM, and 30gig of HD. Suggestions, comments, criticisms? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: freeradius 1.1.1 and mysql issues
Hi, I have tried reordering the elements in the radiusd.conf file so that the database is tried first, and then commented out the section to check the users file, and I am still having the same issues. Here is the output again: modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request ^^^ auth: Failed to validate the user. Login incorrect: [simon/no User-Password attribute] (from client linksys-434 port 56 cli 0013ce29c6d7) ^^ check the logs when you run NTRadPing etc - it looks like the linksys isnt sending all it needs to send. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP (PEAP) problems
Drew Linsalata wrote: Alan DeKok wrote: Why did you add Auth-Type = Accept to the server? It's breaking EAP. Alan DeKok. Auth-Type = EAP? A few folks had mentioned to us that using the EAP auth type was a bad idea. Why? No idea. It seems obvious, so we'll give it a shot. No. You should not have to set Auth-Type to anything, at all, except in very specialised configurations. Don't set it at all. For example, the entry in the users file might look like: username User-Password := password ...and nothing else. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP (PEAP) problems
Drew Linsalata [EMAIL PROTECTED] wrote: Auth-Type = EAP? A few folks had mentioned to us that using the EAP auth type was a bad idea. Why? No idea. It seems obvious, so we'll give it a shot. NO! Read the documentation in eap.conf for why it's a bad idea. The solution to one broken configuration is NOT to add yet another broken configuration. Find out where the Auth-Type Accept is comming from, and fix it! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.1.1 and mysql issues
[EMAIL PROTECTED] wrote: I have tried reordering the elements in the radiusd.conf file so that the database is tried first, and then commented out the section to check the users file, and I am still having the same issues. Re-ordering radiusd.conf won't help. The problem is the broken configuration. 1) The server is receiving an EAP request 2) You're forcing it to do Auth-Type of Local. 3) therefore it's not doing EAP, *or* Local. Stop setting Auth-Type. You're breaking the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: processes invoked goes defunct
Fabio [EMAIL PROTECTED] wrote: I am using freeradius 1.0.5, Install 1.1.2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type = System not working
Shane [EMAIL PROTECTED] wrote:
Read radiusd.conf, and look for /etc/passwd. Odds are that you
enabled caching of /etc/passw. There's a reason it's not enabled by
default, it doesn't work on FreeBSD. Which is explicitly documented.
No, that isn't the cause as I have the following in radiusd.conf:
...
unix {
# allowed values: {no, yes}
cache = no
OK...
# This is required for some systems, like FreeBSD,
# and Mac OSX.
passwd = /etc/passwd
Those should be commented out.
Maybe radiusd doesn't have permission to call getpwent()? See the
comments around the unix module in radiusd.conf.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server Specs
King, Michael [EMAIL PROTECTED] wrote: It's about 200-500 simultaneous authentications. What do you mean by that? Authentications per second? I'm guessing 1ghz of cpu, 512MB of RAM, and 30gig of HD. Suggestions, comments, criticisms? That should be lots. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How the hell do you use multiple NOT values with rlm_checkval and sql??
Alan DeKok wrote: Mike Jakubik [EMAIL PROTECTED] wrote: First of all, the above can be accomplished in SQL using the checkval module and the += OP. Thats great and dandy until you need to specify numbers that users can NOT dial to. In any case that will not work for me, as i need to do this for each group defined in SQL, not DEFAULT for all users. So add the group as an additional check item. It does not work with the != OP. This doesn't work quite the same in SQL, because the module doesn't support multiple entries. Yes it does, just not with a logical NOT. As I said, it's not really supported. I installed FreeRadius because it touted SQL support, now im finding out the features are limited, which is disappointing. There are few programs with unlimited features. That being said, I still think what you want is doable in FreeRADIUS. Perhaps you could try discussing the problem, rather than SQL as a solution. Odds are there's more than one way to reach the goal. If you're fixated on SQL, you may not see another solution. If there is a way to accomplish this outside of SQL, im quite open to suggestions. As long as i can refer to the groups which are in SQL. Basically, i need to be able to restrict certain user groups from dialing certain numbers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
