Radius Logs
Hi there Freeradius 1.1.2, Fedora Core 4, MySQL 4.1.16 I use the RADIUS logs to calculate usage for a client. What I want to do is separate the internal FTP traffic (which is classified as free traffic) from the rest of the traffic so that I can charge the client accordingly. Any Help would be appreciated, I am fairly new to this. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and certs
Hi if i understand well i need 9 cert files: root.pem, root.p12, root.der cert-clt.pem, cert-clt.p12, cert-clt.der cert-srv.pem, cert-srv.p12, cert-srv.der i have demo certs but they expired. How can i create these 9 certs? i try with CA.all and i had multiple errors. is there another way? -- View this message in context: http://www.nabble.com/freeradius-and-certs-t1834817.html#a5007516 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian TLS support
Scott Hughes wrote: rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory radiusd.conf[9]: eap: Module instantiation failed Get a source tarball from www.freeradius.org and manually build a Debian package as explained in the FAQ. http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Parse error freeradius-1.1.1
Lin Richardson wrote: You are welcome to send me testing needs and I'll accommodate as I can. May not be same day service, but I'd be happy to do it. Thanks for the help. Could you try please the autotools upgrade in the CVS? $ cvs -d :pserver:[EMAIL PROTECTED]:/source login CVS password: anoncvs $ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -r branch_1_1 radiusd -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WIKI down
Hi list, when going on the wiki (http://wiki.freeradius.org,) identified as a registered user, there's a PHP error: Fatal error: Call to undefined function: getuser() in /srv/www/vhosts/wiki-freeradius/includes/Skin.php on line 546 Could anyone repair please ? :) Regards, Fox. signature.asc Description: Digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compiling Problem concerning `crypt' !!!
Hi all,Attached the codes of error when I am compiling freeradius-1.1.2 When I finish ./configure, then MAKE, the error happens.I am not able to figure out where is the problem Please give any comment on the problem. Log created while creating MAKE is as follows :make[1]: Entering directory `/Home/ochome/rpathak/freeradius-1.1.2'Making all in libltdl...make[2]: Entering directory `/Home/ochome/rpathak/freeradius-1.1.2/libltdl'/bin/sh ./libtool --mode=compile gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -c ltdl.cmkdir .libsgcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -c ltdl.c -fPIC -DPIC -o .libs/ltdl.loltdl.c: In function `lt_dlopenext':ltdl.c:2926: warning: unused variable `file_found'gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -c ltdl.c -o ltdl.o /dev/null 21mv -f .libs/ltdl.lo ltdl.lo/bin/sh ./libtool --mode=link gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -o libltdl.la -rpath /usr/local/lib -no-undefined -version-info 4:0:1 ltdl.lo -ldl -lnsl -lresolv -lsocket -lposix4 -lpthreadrm -fr .libs/libltdl.la .libs/libltdl.* .libs/libltdl.*/usr/ccs/bin/ld -G -z defs -h libltdl.so.3 -o .libs/libltdl.so.3.1.0 ltdl.lo -ldl -lnsl -lresolv -lsocket -lposix4 -lpthread -lc(cd .libs rm -f libltdl.so.3 ln -s libltdl.so.3.1.0 libltdl.so.3)(cd .libs rm -f libltdl.so ln -s libltdl.so.3.1.0 libltdl.so)ar cru .libs/libltdl.a ltdl.oranlib .libs/libltdl.acreating libltdl.la(cd .libs rm -f libltdl.la ln -s ../libltdl.la libltdl.la)make[2]: Leaving directory `/Home/ochome/rpathak/freeradius-1.1.2/libltdl'Making all in src...make[2]: Entering directory `/Home/ochome/rpathak/freeradius-1.1.2/src'make[3]: Entering directory `/Home/ochome/rpathak/freeradius-1.1.2/src'Making all in include...make[4]: Entering directory `/Home/ochome/rpathak/freeradius-1.1.2/src/include'make[4]: Nothing to be done for `all'.make[4]: Leaving directory `/Home/ochome/rpathak/freeradius-1.1.2/src/include'Making all in lib...make[4]: Entering directory `/Home/ochome/rpathak/freeradius-1.1.2/src/lib'/Home/ochome/rpathak/freeradius-1.1.2/libtool --mode=compile gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -D_LIBRADIUS -I../include -c crypt.cmkdir .libsgcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -D_LIBRADIUS -I../include -c crypt.c -fPIC -DPIC -o .libs/crypt.loIn file included from crypt.c:31:/usr/include/pthread.h:299: error: parse error before '*' token/usr/include/pthread.h:300: error: parse error before '*' token/usr/include/pthread.h:301: error: parse error before '*' token/usr/include/pthread.h:302: error: parse error before '*' token/usr/include/pthread.h:303: error: parse error before '*' token/usr/include/pthread.h:304: error: parse error before '*' token/usr/include/pthread.h:305: error: parse error before '*' token/usr/include/pthread.h:306: error: parse error before '*' token/usr/include/pthread.h:308: error: parse error before '*' token/usr/include/pthread.h:309: error: parse error before '*' token/usr/include/pthread.h:311: error: parse error before '*' token/usr/include/pthread.h:312: error: parse error before '*' tokenmake[4]: *** [crypt.lo] Error 1make[4]: Leaving directory `/Home/ochome/rpathak/freeradius-1.1.2/src/lib'make[3]: *** [common] Error 2make[3]: Leaving directory `/Home/ochome/rpathak/freeradius-1.1.2/src'make[2]: *** [all] Error 2make[2]: Leaving directory `/Home/ochome/rpathak/freeradius-1.1.2/src'make[1]: *** [common] Error 2make[1]: Leaving directory `/Home/ochome/rpathak/freeradius-1.1.2'make: *** [all] Error 2 Ravi Kant Pandey Do you Yahoo!? Next-gen email? Have it all with the all-new Yahoo! Mail Beta.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap client side credential caching in freeradius-1.1.1
Hello Everybody,I would like to know whether freeradius supports ldap credential caching mechanism? According to the release notes, this support was added in dec'2000 and was removed in march'2003 because openldap latest version didnt support that. What happens if we use some other ldap servers or microsoft ADS? Is it possible to add this support in the latest release?Please reply me if you have any idea. Thanks,Jenni. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 14, Issue 95
Great, this worked.
Now the question is what example config file had the suppress stanza under
the detail auth_log section as well? Mine just listed it under the detail
section so I did not know I needed to put it in both places.
On Thu, 22 Jun 2006, [EMAIL PROTECTED] wrote:
Date: Thu, 22 Jun 2006 20:15:54 +0100
From: [EMAIL PROTECTED]
Subject: Re: So how do you suppress
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=us-ascii
Hi,
So how do I actually suppress the user password from the detail log based
on this? Looking at the rlm_detail file and I might as well be looking at
a foreign language.
you can, for example, do somthing like this in radiusd.conf
# Write a detailed log of all accounting records received.
#
detail {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# blah blah blah
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
suppress {
User-Password
}
}
detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%
m%d
detailperm = 0600
suppress {
User-Password
}
}
its SO much easier if you read the example config files that come with the
new release as they often contain HOW to use a feature/option/argument :-)
alan
-- Walter Reynolds
University of Michigan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and certs
Knowing the errors might help, but here is a good web page with instructions: http://www.linuxjournal.com/article/8095 --- Date: Fri, 23 Jun 2006 00:40:20 -0700 (PDT) From: unforgiver [EMAIL PROTECTED] Subject: freeradius and certs To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Hi if i understand well i need 9 cert files: root.pem, root.p12, root.der cert-clt.pem, cert-clt.p12, cert-clt.der cert-srv.pem, cert-srv.p12, cert-srv.der i have demo certs but they expired. How can i create these 9 certs? i try with CA.all and i had multiple errors. is there another way? -- View this message in context: http://www.nabble.com/freeradius-and-certs-t1834817.html#a5007516 Sent from the FreeRadius - User forum at Nabble.com. -- Walter Reynolds University of Michigan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error: Installed (but unpackaged) files(s) found: on REDHAT Enterprise 4.0 (RHEL4) and FreeRadius 1.1.2
On Fri, Jun 23, 2006 at 09:30:24AM +0100, [EMAIL PROTECTED] wrote:
%files
%defattr(-,root,root)
# start of modification Tadej Bregar
sed -i s at doc/freeradius at doc/freeradius-%{version}@
doc/Makefile doc/examples/Makefile doc/rfc/Makefile
%doc doc/ChangeLog doc/README* todo/ COPYRIGHT INSTALL
I think the sed command does not want to go in the %files
section. Someone else suggested puting it just before the %build
line, near the beginning of the file.
--
Ben Thompson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
huntgroups and rlm_ldap
Hello, I need to store in a OpenLDAP backend some access control information based on NAS IP address. Normally this can be done via huntgoups and clients local configuration files. Does anyone know a simple method to put access control based on NAS IP in the LDAP backend? Thanks Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and certs
The .pem .p12 and .der are just typical endings of filenames containing certs in different 'styles'. FR will use the .pem ones (default in openssl, I think). windows in general is more easily convinced to accept .der. Assuming you talk about some eap-* usage, FR alone, in most circumstances, will only need 1 root and 1 server certificate (might be helpfully named root* and cert-srv*), encoded in PEM format, thus *.pem. Whatever you run as supplicant on what OS determines what sort of client certificate (and eventually root certificate, perhaps in different encoding than the one above) you need. So depending on what you're actually trying to achieve, you only need a subset of the3x3-matrix you listed. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Checking SSID via A/D Group
We use Cisco 1232 APs with EAP-PEAP-MSCHAPv2 to a Cisco ACS (RADIUS server). We would like to restrict access to SSIDs based upon Windows group membership. The ACS server is not capable of doing this. I currently have FreeRadius (1.1.2) installed under FreeBSD with OpenSSL 0.9.7d-p1 17 and Samba 3.0.20b. If the server is joined to an Active Directory domain, would it be possible to not just authenticate user/pwd through Samba, but also to check for Windows group membership based upon the SSID to which the user is trying to authenticate? If this is possible, can you suggest the general approach to implementing this? For instance, if we have SSIDs: ssid1, ssid2 and ssid3 and we want to map ssid1 - Windows group ssid1 users ssid2 - Windows group ssid2 users ssid3 - Windows group ssid3 users such that if the user is a member of the group and their credentials are valid, FreeRadius would return Access-Accept. If they arent a member of the group or their credentials are invalid, it would return Access-Reject. Ive seen some threads talking about putting a SSID attribute in LDAP. But, users could be authorized for more than one SSID so it doesnt seem like that approach would work. Also, administratively, its easier to identify/manage who is authorized for which SSIDs if it is done via group membership as opposed to a user attribute. Also, does FreeRadius support changing of passwords via MSCHAP to Active Directory when the password is expired? Thank you in advance for any help/guidance you can provide. Neal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Logs
Grant Wright [EMAIL PROTECTED] wrote: I use the RADIUS logs to calculate usage for a client. What I want to do is separate the internal FTP traffic (which is classified as free traffic) from the rest of the traffic so that I can charge the client accordingly. Unless the NAS sends information saying what is FTP and what isn't, this is impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 14, Issue 95
Walter Reynolds [EMAIL PROTECTED] wrote: Now the question is what example config file had the suppress stanza under the detail auth_log section as well? Mine just listed it under the detail section so I did not know I needed to put it in both places. The rest of the documentation explains how the modules are set up. The auth_log module is a variant of the detail module. Nothing is different except the name, and the options you put into it's configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling Problem concerning `crypt' !!!
Ravi pandey [EMAIL PROTECTED] wrote: gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -D_LIBRADIUS -I../include -c crypt.c -fPIC -DPIC -o .libs/crypt.lo In file included from crypt.c:31: /usr/include/pthread.h:299: error: parse error before '*' token The header files on your system are broken. pthread.h seems to require inclusion of other header files, but doesn't include them itself. Without a detailed investigation into the contents of the header files on your system, it's difficult ot say exactly what's wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking SSID via A/D Group
Garber, Neal [EMAIL PROTECTED] wrote: FreeBSD with OpenSSL 0.9.7d-p1 17 and Samba 3.0.20b. If the server is joined to an Active Directory domain, would it be possible to not just authenticate user/pwd through Samba, but also to check for Windows group membership based upon the SSID Yes. For the purposes of group checking, AD is just an LDAP directory. You should be able to edit the LDAP group membership checks to do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-MD5 with LDAP
Hi..
Using FB 6.0
FR 1.0.5
trying to configure EAP-MD5 with LDAP backend...
But it keep reporting:
rlm_ldap: Attribute User-Password is required for authentication.
No EAP been processed...
please see full debug log below..
Below is my config with multiple DEFAULT entry... for Wireless services
normal Dialup authentication
i) users
=
DEFAULT NAS-Identifier == Wireless-802.11, Autz-Type := Y5,
Auth-Type :=Y5
DEFAULT Autz-Type := LDAP, Auth-Type := LDAP
ii) eap.conf
eap {
default_eap_type = md5
}
md5 {
}
}
iii) radiusd.conf
$INCLUDE ${confdir}/eap.conf
authorize {
eap
Autz-Type LDAP {
ldap1
}
Autz-Type Y5 {
ldapy51
}
}
authenticate {
Auth-Type LDAP {
ldap1
}
Auth-Type Y5 {
ldapy51
}
eap
}
ldap ldap1 {
server = localhost
identity = cn=root,dc=jaring,dc=my
password = xx
basedn = ou=RADIUS,ou=People,dc=jaring,dc=my
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
access_attr = dialupAccess
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
ldap ldapy51 {
server = localhost
identity = cn=root,dc=jaring,dc=my
password = xx
basedn = ou=Y5,ou=People,dc=jaring,dc=my
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
access_attr = dialupAccess
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
rad_recv: Access-Request packet from host 202.73.10.12:1814, id=133,
length=197
Framed-MTU = 1466
NAS-IP-Address = 10.220.0.2
NAS-Identifier = OCEPOP
User-Name = jaroce
Service-Type = Framed-User
NAS-Port = 129
NAS-Port-Type = Ethernet
NAS-Port-Id = ether9_129
Called-Station-Id = 00-11-95-e1-ce-8a
Calling-Station-Id = 00-13-46-86-c3-93
Connect-Info = CONNECT Ethernet 2Mbps Full duplex
EAP-Message = 0x02020015016a61726f6365406d793031352e636f6d
Message-Authenticator = 0x6d5b3fff40ff4c920b88d100ed80a209
Proxy-State = 0x3433
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
modcall[authorize]: module chap returns noop for request 1
modcall[authorize]: module mschap returns noop for request 1
rlm_realm: No '/' in User-Name = jaroce, skipping NULL due to
config.
modcall[authorize]: module IPASS returns noop for request 1
rlm_realm: No '@' in User-Name = jaroce, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = jaroce
rlm_realm: Proxying request from user jaroce to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 1
rlm_eap: EAP packet type response id 2 length 21
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 1
users: Matched entry DEFAULT at line 68
modcall[authorize]: module files returns ok for request 1
modcall: group authorize returns updated for request 1
Processing the authorize section of radiusd.conf
modcall: entering group Autz-Type for request 1
modcall: entering group redundant for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jaroce
radius_xlat: '(uid=jaroce)'
radius_xlat: 'ou=RADIUS,ou=People,dc=jaring,dc=my'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=RADIUS,ou=People,dc=jaring,dc=my, with
filter (uid=jaroce)
rlm_ldap: checking if remote access for jaroce is allowed by dialupAccess
rlm_ldap: Added password j4r1ng in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value
Van-Jacobson-TCP-IP op=11
rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP
op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User
op=11
rlm_ldap: user jaroce authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap1 returns ok for
Re: EAP-MD5 with LDAP
Hi, trying to configure EAP-MD5 with LDAP backend... rlm_ldap: Attribute User-Password is required for authentication. oh, a classic. You are trying to use a backend that requires to have the clear text password, but are instead feeding it with a one-way crypted password. This won't work out-of-the-box. What you *might* be able to do is retrieve the user's password during authorize with an administrator account, and then during authenticate let the server compare things themselves, without calling ldap during authenticate. Never done that, but it seems possible to me. Good luck. Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlcounter, always does the lookup or conditional
I was hoping someone could save me a few cycles on a hectic Friday since my test system is down at the moment and the info in radiusd.conf doesn't mention it. With the sqlcounter module, will it always do the sql lookup on an incoming auth request or only if the check-name attribute is among the check items? The latter would really save some overhead if only a few customers were time limited. Thanks! -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
