Re: How the hell do you use multiple NOT values with rlm_checkval and sql??
Mike Jakubik [EMAIL PROTECTED] wrote: First of all, the above can be accomplished in SQL using the checkval module and the += OP. Thats great and dandy until you need to specify numbers that users can NOT dial to. In any case that will not work for me, as i need to do this for each group defined in SQL, not DEFAULT for all users. So add the group as an additional check item. This doesn't work quite the same in SQL, because the module doesn't support multiple entries. Yes it does, just not with a logical NOT. As I said, it's not really supported. I installed FreeRadius because it touted SQL support, now im finding out the features are limited, which is disappointing. There are few programs with unlimited features. That being said, I still think what you want is doable in FreeRADIUS. Perhaps you could try discussing the problem, rather than SQL as a solution. Odds are there's more than one way to reach the goal. If you're fixated on SQL, you may not see another solution. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type = System not working
Maillists [EMAIL PROTECTED] wrote: but I know 100% that the password is correct. What appears to be happening (determined from hours of frustrating testing) is Freeradius (rlm_unix) is looking for the users passwords in the /etc/passwd file but my /etc/passwd file doesn't contain any passwords: test:*:1003:1003:Test User:/home/test:/bin/sh my /etc/master.passwd file does: test:$1$RlHYm4Ca$QhlYcYV7BqIjTF.UQ4pTX/:1003:1003::0:0:Test User:/home/test:/bin/sh Read radiusd.conf, and look for /etc/passwd. Odds are that you enabled caching of /etc/passw. There's a reason it's not enabled by default, it doesn't work on FreeBSD. Which is explicitly documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql 5.0.22 with fr 1.1.2
while trying to compile the fr 1.1.2 with mysql 5.0.22 i got the following with rlm_sq_mysql configure: checking for mysql_config... yes checking for mysql_init in -lmysqlclient (using mysql_config)... no checking for mysql_init in -lmysqlclient... no configure: warning: mysql libraries not found. Use --with-mysql-lib-dir=path. checking for mysql.h (using mysql_config)... no checking for mysql/mysql.h... yes configure: warning: sql submodule 'mysql' disabled mysql libraries are in /opt/mysql/lib/mysql. The machine is under Solaris 8 x86. crle output says: [EMAIL PROTECTED]:/usr/local/src/freeradius-1.1.2~# crle Configuration file [3]: /var/ld/ld.config Default Library Path (ELF): /usr/lib:/usr/local/lib:/opt/mysql/lib/mysql:/usr/local/ssl/lib Trusted Directories (ELF):/usr/lib/secure (system default) And /usr/local/mysql is a symbolic link to /opt/mysql. Everything seems to be in place, but configure does not see mysql. What could be the reason? -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: configuring Freeradius server + accounting + IP address
Hello ! Hi All, I am newly joined to this group. I have started working on radius. I am facing some problems in configuring the free radius for accounting purpose and to get the IP address of MS. What do you mean by IP address of MS ? accounting setup is pretty well described in freeRadius documentation! Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] dius.org]On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, May 31, 2006 8:23 PM To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 13, Issue 145 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. RE: Session-Octets-Limits (Seferovic Edvin) 2. Re: Session-Octets-Limits (Mordor Networks) 3. 1.1.2 Build Problems - rlm_eap-1.1.2.soT - ld: skipping incompatible (Alan) 4. Re: 1.1.2 Build Problems - rlm_eap-1.1.2.soT - ld: skippingincompatible (Stefan Winter) 5. RE: 1.1.2 Build Problems - rlm_eap-1.1.2.soT - ld:skippingincompatible (Alan) -- Message: 1 Date: Wed, 31 May 2006 12:16:43 +0200 From: Seferovic Edvin [EMAIL PROTECTED] Subject: RE: Session-Octets-Limits To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Its working and the user disconnect when reachs the limit but now if the user disconnect and reconnect it will all start over is there a way to lock the account? so that the user wont be able to connect again? YES, by using sqlcounter module ! This module should count the traffic usage before user is authorized to connect. Regards, Edvin -- Message: 2 Date: Wed, 31 May 2006 14:01:28 +0300 From: Mordor Networks [EMAIL PROTECTED] Subject: Re: Session-Octets-Limits To: [EMAIL PROTECTED], FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 Do i have to patch the sqlcounter module so that it can be used for counting traffic? I have the default sqlcounter in my radius.conf sqlcounter Dailycounter and sqlcounter monthlycounter/ On 5/31/06, Seferovic Edvin [EMAIL PROTECTED] wrote: Its working and the user disconnect when reachs the limit but now if the user disconnect and reconnect it will all start over is there a way to lock the account? so that the user wont be able to connect again? YES, by using sqlcounter module ! This module should count the traffic usage before user is authorized to connect. Regards, Edvin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- next part -- An HTML attachment was scrubbed... URL: https://list.xs4all.nl/pipermail/freeradius-users/attachments/20060531/08a09 0b4/attachment-0001.html -- Message: 3 Date: Wed, 31 May 2006 09:49:19 -0400 From: Alan [EMAIL PROTECTED] Subject: 1.1.2 Build Problems - rlm_eap-1.1.2.soT - ld: skipping incompatible To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=US-ASCII When I compile the latest stable FreeRadius build version 1.1.2. I came across a few problems. I noticed the eap library file has a T appended to the end of it (rlm_eap-1.1.2.soT) and some ld warnings after running make. Please advise. ~Alan OS: Red Hat Enterprise v.3 AMD64 --- Make ld warnings: sql_mysql.c: In function `sql_error': sql_mysql.c:333: warning: return discards qualifiers from pointer target type /usr/bin/ld: skipping incompatible /usr/lib/libz.so when searching for -lz /usr/bin/ld: skipping incompatible /usr/lib/libz.a when searching for -lz /usr/bin/ld: skipping incompatible /usr/lib/libpthread.so when searching for -lpthread /usr/bin/ld: skipping incompatible /usr/lib/libpthread.a when searching for -lpthread /usr/bin/ld: skipping incompatible /usr/lib/libcrypt.so when searching for -lcrypt /usr/bin/ld: skipping incompatible /usr/lib/libcrypt.a when searching for -lcrypt /usr/bin/ld: skipping incompatible /usr/lib/libnsl.so when searching for -lnsl /usr/bin/ld: skipping incompatible /usr/lib/libnsl.a when searching for -lnsl /usr/bin/ld: skipping incompatible /usr/lib/libm.so when searching for -lm /usr/bin/ld: skipping incompatible /usr/lib/libm.a when searching for -lm /usr/bin/ld: skipping incompatible /usr/lib/libpthread.so when searching
freeradius rlm_sql driver problem-need help
Hello FR Users Can anybody here help me out of this problem? I installed freeradius version 1.1.1 with mysql on RH Linux Enterprise 4 ed. I've got this result [EMAIL PROTECTED] ~]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded SQL sql: driver = /usr/local/src/freeradius-1.1.1/src/modules/rlm_sql/drivers/rlm_sql_mysql sql: server = localhost sql: port = sql: login = radius sql: password = radpass sql: radius_db = radius sql: acct_table = radacct sql: acct_table2 = radacct sql: authcheck_table = radcheck sql: authreply_table = radreply sql: groupcheck_table = radgroupcheck sql: groupreply_table = radgroupreply sql: usergroup_table = usergroup sql: nas_table = nas sql: dict_table = dictionary sql: sqltrace = no sql: sqltracefile = /usr/local/var/log/radius/sqltrace.sql sql: readclients = no sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = %{Stripped-User-Name:-%{User-Name:-DEFAULT}} sql: default_user_profile = sql: query_on_not_found = no sql: authorize_check_query = SELECT id, UserName, Attribute, Value, opFROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id sql: authorize_reply_query = SELECT id, UserName, Attribute, Value, opFROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id sql:
Auth-Type = Reject not 'working'
hi, the recent post mentioning Auth-Type = System reminded me if I've got a Auth-Type = Reject int he users file, then when making a request with a remote RADIUS client, then the request times out when freeradius is running as a normal process daemon... on Fedora, this is running as a service with the '-y' option... however, this timeout is variable..and sometimes...just sometimes it works. however, when running freeradius is debug mode, with -X, the Reject reply message is pretty fast...though still a lot slower than an Access-Accept message for a valid user - even though the valid user is in a database or a kerberos check. I assumed that a Auth-Type := Reject was an instant hit, with no further procedures... why then, when run in debug mode, does FreeRADIUS happily reject the client request but when run as a normal process, it throws the request towards other Auth mechanisms? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql 5.0.22 with fr 1.1.2
Hi, while trying to compile the fr 1.1.2 with mysql 5.0.22 i got the following with rlm_sq_mysql configure: you did do ./configure --with-mysql-lib-dir=/opt/mysql/lib/mysql as per the output bleatings, yes? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql 5.0.22 with fr 1.1.2
Oh, sorry for flood, found the solution in the archives. http://lists.freeradius.org/mailman/htdig/freeradius-users/2003-April/017789.html [EMAIL PROTECTED] пишет: Hi, while trying to compile the fr 1.1.2 with mysql 5.0.22 i got the following with rlm_sq_mysql configure: you did do ./configure --with-mysql-lib-dir=/opt/mysql/lib/mysql as per the output bleatings, yes? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Filter attributes when proxying
Hello all Is it possible to (easily) remove single attributes sent or received when proxying? I know it can be done with attr_filter but if you only want to remove a single attribute while leaving the rest untouched, you need pass rules for every other attribute. It doesn't look like attr_rewrite can remove attributes. Am I wrong? Otherwise I think this would be a nice feature to implement. The attr_filter module can easily (I think) be changed to include a variable to control whether or not passing rules are needed to allow an attribute. Currently attributes are only allowed if they don't fail any rules in attrs and pass at least one rule: if (fail == 0 pass 0) This could be changed to something like if (fail == 0 (pass 0 || allow_no_match)) where a variable in the attrs file could control if passing rules are required. Sincerely, Martin Zuziak [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
listening interface configuration
Hi, I am going to configure a FreeRADIUS as a RADIUS proxy. My proxy will have to listen on a couple of ports on 2 interfaces, so I set the following configuration in radiusd.conf: listen { ipaddr = IP1 port = 1812 type = auth } listen { ipaddr = IP1 port = 1813 type = acct } listen { ipaddr = IP2 port = 1812 type = auth } listen { ipaddr = IP2 port = 1813 type = acct } When I start FreeRADIUS, I get the following ... Listening on authentication IP1:1812 Listening on accounting IP1:1813 Listening on authentication IP2:1812 Listening on accounting IP2:1813 Listening on proxy IP1:1814 ... If I understand packets coming inside IP2, will be forwarded through IP1, right? Is there a configuration solution to make packets coming inside IP2 to be forwarded through IP1, or is FreeRADIUS limited to only one proxy ip/port? Thank you in advance, Geof. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy_fail_type attribute
Hi, I just get the last CVS update, and I discovered a hidden attribute in mainconfig.c, name proxy_fail_type. By reading the source code, my understanding is that setting this attribute to fail (for example) in proxy.conf, and setting the value fail for Post-Proxy-Type in dictionary.freeradius.internal, will allow FreeRADIUS to execute a module when the proxy of a request failed (no response from server or other cases). My 1st question: - Am I right (or near to the truth)? I saw that this was not shipped into 1.1.2. But this feature appeared by the end of 2004. So my 2nd and 3rd questions are: - Has anyone used or is anyone using this feature on prodcution deployement? - Is this feature planned to be shipped in 1.2.x? Thank you in advance. Geof. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type = Reject not 'working'
[EMAIL PROTECTED] wrote: however, when running freeradius is debug mode, with -X, the Reject reply message is pretty fast...though still a lot slower than an Access-Accept message for a valid user - even though the valid user is in a database or a kerberos check. I assumed that a Auth-Type := Reject was an instant hit, with no further procedures... why then, when run security { # delayed_reject: When sending an Access-Reject, it can be # delayed for a few seconds. This may help slow down a DoS # attack. It also helps to slow down people trying to brute-force # crack a users password. # # Setting this number to 0 means send rejects immediately reject_delay = 1 } in debug mode, does FreeRADIUS happily reject the client request but when run as a normal process, it throws the request towards other Auth mechanisms? I'm not sure about *that* aspect of it. I've never seen it. But rejects are delayed in the default config. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.1.2 eap problem
Hi ! Upgrading from 1.1.1 to 1.1.2 and now I get this error message : Thu Jun 1 12:26:22 2006 : Info: rlm_eap_tls: Loading the certificate file as a chain Thu Jun 1 12:26:22 2006 : Error: rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory Thu Jun 1 12:26:22 2006 : Error: rlm_eap_tls: Error reading Trusted root CA list Thu Jun 1 12:26:22 2006 : Error: rlm_eap: Failed to initialize type tls Thu Jun 1 12:26:22 2006 : Error: radiusd.conf[10]: eap: Module instantiation failed. Thu Jun 1 12:26:22 2006 : Error: radiusd.conf[1735] Unknown module eap. Thu Jun 1 12:26:22 2006 : Error: radiusd.conf[1722] Failed to parse authenticate section. My system is a FreeBSD 6.1-Stable - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type = Reject not 'working'
Hi, # Setting this number to 0 means send rejects immediately reject_delay = 1 i know this one - but why the change in behaviour when running in debug mode (where it all works fine - nice 1 second timeout, no checking against other Authentication methods etc) compared to running as a real service? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PPPoE server + MySQLbackend tutotrial
plz do you have totorial links to PPPoE server + MySQL backend?? strait forward and easy to understand. thanks this tool really needs Howtos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
revoking ca certificates
Hey All,Any body knows how to revoke the certificates? what changes needs to be done in the freeradius eap.conf file.Im trying to do in the way its given in the default config file:Oopenssl command to revoke the ca-certificate: openssl ca -gencrl -keyfile ./privatekey.pem -cert cacert.pem revoke cacert.pem -out crl.pem 1. copied ca crl to ./ directory( my ca crl files are in current directory )2. c_rehash ./ tls {...CA_file = ./cacert.pemCA_path = ./ check_crl = yes}Still the server returns success for the user.Any idea ? where am i missing the configuration? Please reply me with your info.ThanksSumi-- If u look at what u dont have in life, u dont have anything But if u look at what u have in life, u have everything.!! -- If u look at what u dont have in life, u dont have anything But if u look at what u have in life, u have everything.!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
processes invoked goes defunct
Hi, I am using freeradius 1.0.5, configured so that when a user fails the password for X times, a mail is sent to a sysadmin. I have added the following to modules section: exec accept_notify { wait = no program = /usr/local/etc/raddb/radius_reject_notify %{User-Name} accept %{FreeRADIUS-Proxied-To} input_pairs = request } exec reject_notify { wait = no program = /usr/local/etc/raddb/radius_reject_notify %{User-Name} reject %{FreeRADIUS-Proxied-To} input_pairs = request } and this is my posth-auth section: post-auth { accept_notify Post-Auth-Type REJECT { reject_notify } } radius_reject_notify is the bash script attached. However, when a user log in and the script is executed, I see that the script remains in a defunct state. After some time I see hundreds of such processes: Output of ps -e: 13110 ?00:00:00 radius_reject_n defunct 13232 ?00:00:00 radius_reject_n defunct 13233 ?00:00:00 radius_reject_n defunct Has someone idea why freeradius does not close correctly my script? Thanks, Fabio radius_reject_notify: #!/bin/bash # #Sintax: # #mail_notify user access type # user: user name # access: accept or reject # type: accepted only if ( == FreeRADIUS-Proxied-To ) == 127.0.0.1 # # TRY: number of retry TRY=10 FAILED_USERS_DIR=/tmp/radius_user_fail/ MAIL_ADMINS=[EMAIL PROTECTED] USER_RETRY=0 CURRENT_USER=$1 ACCESS=$2 failed() { mkdir -p $FAILED_USERS_DIR if [ -e $FAILED_USERS_DIR/$CURRENT_USER ] then USER_RETRY=`cat $FAILED_USERS_DIR/$CURRENT_USER` fi USER_RETRY=$(( USER_RETRY + 1 )) echo $USER_RETRY $FAILED_USERS_DIR/$CURRENT_USER if (( USER_RETRY == $TRY )) then #Limit exceded! send_mail fi ; } success() { if [ -e $FAILED_USERS_DIR/$CURRENT_USER ] then rm -f $FAILED_USERS_DIR/$CURRENT_USER fi } send_mail() { HOSTNAME=`hostname` env MAILRC=/dev/null [EMAIL PROTECTED] smtp=smtp.domain.com nail -n -s RADIUS - Autentication failed $TRY times $MAIL_ADMINS -END $CURRENT_USER failed authentication for $TRY times. END } case $3 in '127.0.0.1') case $ACCESS in 'accept') success ;; 'reject') failed ;; esac ;; esac - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP (PEAP) problems
Alan DeKok wrote: Why did you add Auth-Type = Accept to the server? It's breaking EAP. Alan DeKok. Auth-Type = EAP? A few folks had mentioned to us that using the EAP auth type was a bad idea. Why? No idea. It seems obvious, so we'll give it a shot. -- Drew Linsalata The Gotham Bus Company, Inc. Dedicated Servers and Colocation Solutions Long Island, New York http://www.gothambus.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: freeradius 1.1.1 and mysql issues
Hi, I have tried reordering the elements in the radiusd.conf file so that the database is tried first, and then commented out the section to check the users file, and I am still having the same issues. Here is the output again: Ready to process requests. rad_recv: Access-Request packet from host 10.10.1.1:1320, id=0, length=123 User-Name = simon NAS-IP-Address = 10.10.1.1 Called-Station-Id = 0014bff3dac8 Calling-Station-Id = 0013ce29c6d7 NAS-Identifier = 0014bff3dac8 NAS-Port = 56 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020a0173696d6f6e Message-Authenticator = 0x68b3f01e605eb032281dd6c99dfd9e52 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = simon, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 0 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 radius_xlat: 'simon' rlm_sql (sql): sql_set_user escaped user -- 'simon' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'simon' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheckWHERE Username = 'simon' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'simon' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'simon' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'simon' ORDER BY id' rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreplyWHERE Username = 'simon' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'simon' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'simon' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [simon/no User-Password attribute] (from client linksys-434 port 56 cli 0013ce29c6d7) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 10.10.1.1 port 1320 Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 447ef7e2 Nothing to do. Sleeping until we see a request. As before, it still authenticates perfectly when I try it with either NTRadPing or radtest. Thanks again, Simon hi, you say it works okay with NTRadPing and that when you use an entry in users file it works...however in the log you supplied its still matching an entry in the users file - and the server is then happy to use that matching entry rather than one in the DB. the log you posted also shows that it is attempting to use the files method...and that the match told it to use Local authentication..the database query is then superfluous. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: freeradius 1.1.1 and mysql issues
modcall[authorize]: module sql returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [simon/no User-Password attribute] (from client linksys-434 port 56 cli 0013ce29c6d7) There is no password ? Is that okay? You can set Auth-Type to Accept if the user is found in sql ! If that is what you actually want. Regards, Edvin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP + Active directory
Am having a strange problem after my supplicant get authenticated to my active directory. My supplicant trying to get authenticated to active directory or validating identity every 60 mins, which disturbs wireless connection that bother me a lot. Is this normal or can i set the timer to authenticate every 120 mins or whatever timing i like. Am using dynamic WEP and it has been set to change the key every 6 hours. Any help will be really appreciated. Thanks in advance. Kartthik -- ___ Search for businesses by name, location, or phone number. -Lycos Yellow Pages http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: Re: freeradius 1.1.1 and mysql issues
There is a password in the database (in the radcheck table) associated with the username. I am also supplying both the username and password on my laptop as I am trying to connect. I currently have the Auth-Type being set (:=) to Local in the radgroupcheck table. I believe this should all be set up properly. Simon modcall[authorize]: module sql returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [simon/no User-Password attribute] (from client linksys-434 port 56 cli 0013ce29c6d7) There is no password ? Is that okay? You can set Auth-Type to Accept if the user is found in sql ! If that is what you actually want. Regards, Edvin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type = System not working
Alan DeKok wrote: Maillists [EMAIL PROTECTED] wrote: but I know 100% that the password is correct. What appears to be happening (determined from hours of frustrating testing) is Freeradius (rlm_unix) is looking for the users passwords in the /etc/passwd file but my /etc/passwd file doesn't contain any passwords: test:*:1003:1003:Test User:/home/test:/bin/sh my /etc/master.passwd file does: test:$1$RlHYm4Ca$QhlYcYV7BqIjTF.UQ4pTX/:1003:1003::0:0:Test User:/home/test:/bin/sh Read radiusd.conf, and look for /etc/passwd. Odds are that you enabled caching of /etc/passw. There's a reason it's not enabled by default, it doesn't work on FreeBSD. Which is explicitly documented. Alan DeKok. No, that isn't the cause as I have the following in radiusd.conf: # Unix /etc/passwd style authentication # unix { # allowed values: {no, yes} cache = no # Reload the cache every 600 seconds (10mins). 0 to # disable. cache_reload = 600 # This is required for some systems, like FreeBSD, # and Mac OSX. passwd = /etc/passwd shadow = /etc/master.passwd group = /etc/group # radwtmp = ${logdir}/radwtmp } I'm assuming the cache_reload=600 doesn't matter as it the cache was disabled earlier in the code. Any other things I should check to get Auth-Type = System working? Shane - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Server Specs
We're going to be setting up a few new FreeRADIUS servers on virtual hardware. The server admin is asking me what I need for specs. (Virtually, they can allocate whatever I need) It's about 200-500 simultaneous authentications. (This is my prediction for the next 4 years, we're about 10 right now). Using NTLM-auth to talk to Active Directory, and performing PEAP. I'm guessing 1ghz of cpu, 512MB of RAM, and 30gig of HD. Suggestions, comments, criticisms? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: freeradius 1.1.1 and mysql issues
Hi, I have tried reordering the elements in the radiusd.conf file so that the database is tried first, and then commented out the section to check the users file, and I am still having the same issues. Here is the output again: modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request ^^^ auth: Failed to validate the user. Login incorrect: [simon/no User-Password attribute] (from client linksys-434 port 56 cli 0013ce29c6d7) ^^ check the logs when you run NTRadPing etc - it looks like the linksys isnt sending all it needs to send. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP (PEAP) problems
Drew Linsalata wrote: Alan DeKok wrote: Why did you add Auth-Type = Accept to the server? It's breaking EAP. Alan DeKok. Auth-Type = EAP? A few folks had mentioned to us that using the EAP auth type was a bad idea. Why? No idea. It seems obvious, so we'll give it a shot. No. You should not have to set Auth-Type to anything, at all, except in very specialised configurations. Don't set it at all. For example, the entry in the users file might look like: username User-Password := password ...and nothing else. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP (PEAP) problems
Drew Linsalata [EMAIL PROTECTED] wrote: Auth-Type = EAP? A few folks had mentioned to us that using the EAP auth type was a bad idea. Why? No idea. It seems obvious, so we'll give it a shot. NO! Read the documentation in eap.conf for why it's a bad idea. The solution to one broken configuration is NOT to add yet another broken configuration. Find out where the Auth-Type Accept is comming from, and fix it! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.1.1 and mysql issues
[EMAIL PROTECTED] wrote: I have tried reordering the elements in the radiusd.conf file so that the database is tried first, and then commented out the section to check the users file, and I am still having the same issues. Re-ordering radiusd.conf won't help. The problem is the broken configuration. 1) The server is receiving an EAP request 2) You're forcing it to do Auth-Type of Local. 3) therefore it's not doing EAP, *or* Local. Stop setting Auth-Type. You're breaking the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: processes invoked goes defunct
Fabio [EMAIL PROTECTED] wrote: I am using freeradius 1.0.5, Install 1.1.2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type = System not working
Shane [EMAIL PROTECTED] wrote: Read radiusd.conf, and look for /etc/passwd. Odds are that you enabled caching of /etc/passw. There's a reason it's not enabled by default, it doesn't work on FreeBSD. Which is explicitly documented. No, that isn't the cause as I have the following in radiusd.conf: ... unix { # allowed values: {no, yes} cache = no OK... # This is required for some systems, like FreeBSD, # and Mac OSX. passwd = /etc/passwd Those should be commented out. Maybe radiusd doesn't have permission to call getpwent()? See the comments around the unix module in radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server Specs
King, Michael [EMAIL PROTECTED] wrote: It's about 200-500 simultaneous authentications. What do you mean by that? Authentications per second? I'm guessing 1ghz of cpu, 512MB of RAM, and 30gig of HD. Suggestions, comments, criticisms? That should be lots. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How the hell do you use multiple NOT values with rlm_checkval and sql??
Alan DeKok wrote: Mike Jakubik [EMAIL PROTECTED] wrote: First of all, the above can be accomplished in SQL using the checkval module and the += OP. Thats great and dandy until you need to specify numbers that users can NOT dial to. In any case that will not work for me, as i need to do this for each group defined in SQL, not DEFAULT for all users. So add the group as an additional check item. It does not work with the != OP. This doesn't work quite the same in SQL, because the module doesn't support multiple entries. Yes it does, just not with a logical NOT. As I said, it's not really supported. I installed FreeRadius because it touted SQL support, now im finding out the features are limited, which is disappointing. There are few programs with unlimited features. That being said, I still think what you want is doable in FreeRADIUS. Perhaps you could try discussing the problem, rather than SQL as a solution. Odds are there's more than one way to reach the goal. If you're fixated on SQL, you may not see another solution. If there is a way to accomplish this outside of SQL, im quite open to suggestions. As long as i can refer to the groups which are in SQL. Basically, i need to be able to restrict certain user groups from dialing certain numbers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html