Re: FreeRADIUS crashes after EAP/PEAP authentication
Well, the *full* output would have been helpful (including the startup messages). And a backtrace from the coredump. HTH K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Reply VSA-s in Access-Reject
Hi Yervand, How to set VSA in Access-Reject reply ? Is that adding dictionary files is enough or any other support needs to be done? Rgds, Shankar ganesh -Original Message- From: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org]On Behalf Of Yervand Petrosyan Sent: Wednesday, August 30, 2006 10:56 AM To: freeradius-users@lists.freeradius.org Subject: Reply VSA-s in Access-Reject Hello, In 1.1.3 version Access-Reject doesn't return in reply VSA attributes but it is works well in 1.0.1. Something was changed? Thanks in advance, Yervand __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to return the values from the exec program to free radius?
Hi All, Could some body help me to know how to return values from the exec program ? I can understand that I need to use the output-pairs or reply list .But do not really know how to use that any sample code or document would really help me. Thanks and regards Shankar ganesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply VSA-s in Access-Reject
Hello, In 1.1.3 version Access-Reject doesn't return in reply VSA attributes but it is works well in 1.0.1. Something was changed? Thanks in advance, Yervand __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS crashes after EAP/PEAP authentication
HiI sent an email to the list with the subject "EAP PEAP, unable to load certificate", but as the subject has changed slightly, I've decided to create a new thread.Has anyone had any issues at all when setting up PEAP? My FreeRADIUS installation, which is used for ADSL/Dial Up AAA (and if I can get it working Wireless AAA), crashes as a wireless client tries to authenticate, but is fine for DSL/Dial Up.I'm running FreeRADIUS 1.1.1 (OpenSSL 0.9.7e-p1 25 Oct 2004).Running on: FreeBSD radius02.01.net.nz 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Wed Nov 2 22:33:15 UTC 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC sparc64FreeRADIUS confuration line: ./configure --sysconfdir=/etc --localstatedir=/var --disable-ltdl-install --with-ltdl-include=/usr/local/include --with-ltdl-lib=/usr/local/lib --with-large-files --with-rlm_sql_unixodbc --without-rlm_krb5 --without-rlm_sql_postgresql --without-rlm_ldap --enable-strict-dependencies --disable-shared --with-openssl-includes=/usr/local/include/openssl --with-openssl-libraries=/usr/local/lib Here is the radiusd -XA output when a wireless user tries to authenticate: Ready to process requests. rad_recv: Access-Request packet from host 10.10.1.199:1812, id=5, length=73 User-Name = "nick" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02010009016e69636b NAS-IP-Address = 10.10.1.199 Message-Authenticator = 0x44a4bae6e408185535e54b666e440793 Processing the authorize section of radiusd.confmodcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "nick", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 radius_xlat: 'nick'rlm_sql (sql): sql_set_user escaped user --> 'nick' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'nick' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'nick' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'nick' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'nick' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 5 to 10.10.1.199 port 1812 Framed-IP-Address := 10.10.1.197 Service-Type := Framed-User Framed-Protocol := PPP Acct-Interim-Interval := 600 Framed-IP-Netmask := 255.255.255.0 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x441787b224b2cade909f815da10d28a2 Finished request 0Going to the next request --- Walking the entire request list --- Waking up in 6 seconds...rad_recv: Access-Request packet from host 10.10.1.199:1812, id=6, length=156 User-Name = "nick" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202004a19800040160301003b01370301d47428dbffab776a5aa27dd1f3ae43b58ba88be83f19c437a92b5e416c87ecf6140005000a000900640062000300060100 State = 0x441787b224b2cade909f815da10d28a2 NAS-IP-Address = 10.10.1.199 Message-Authenticator = 0xd35a0b343af33d868016f1faa2c401ca Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "nick", looking up realm NULL rlm_realm: No suc
Error 403 Dialupadmin
Dear users,i've already configured my pc with freeradius 1.1.2, and after i configured, there still error to load the web page of dialupadmin. I tried some advices : changed the permission of the directory of dialupadmin into 701, added the directory on httpd.conf change the value allowoverride allow, but still got Error 403 about permission denied.My Distro : Linux Trustix 2.2Kernel : 2.4.32-1tr Sorry for my bad english-- Thanks,Thohir http://toinkers.blogspot.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Building Freeradius RPM on Redhat ES 4.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wednesday, 30 August 2006 10:19 AM, Michael King wrote: > > > -Original Message- > > I saw this last week building 1.1.3 on RHEL 4.0 ES (Update 3) too. > > Was fixed > > by just applying the latest patches from Redhat. Appears to > > be due to a mismatch between various software levels. With > > the latest fixes, it is all OK. > > > > > Which patches? Just run Up2date and all should be well? > Should be. We have an internal yum repository that collects all the latest updates from Redhat. I just did a "yum -y update" and all was well. SW -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wkYEARECAAYFAkT07JAACgkQmw4BJyaatJ1rmwCcD2A6uODCMCxsgc4E7HuQQrEQ6nkA oL3bMPfyWYoZiAAVwMKX7o1fDdNq =SQrq -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 4 servers implementation
Sorry Mike,I was refering to my earlier post (just forgot to forward it):Hello,Currently, I'm trying to implement Freeradius in 2 servers, and it's working.The problem is, I need to use an Oracle database that is in another server. That's quite ok as I've copied the contents of $ORACLE_HOME to the 2 freeradius servers. The other problem is that I need to use Dialup Admin that is installed in another server, totalling 4 servers.In the dialupadmin admin.config, it states thats it needs the /etc/local/radius in the same machine. What can I do?Thank you.On 8/29/06, Mike Mitchell <[EMAIL PROTECTED]> wrote: From: Guilherme FrancoSent: Wednesday, 30 August 2006 10:05 AMTo: freeradius-users@lists.freeradius.orgSubject: 4 servers implementation Please, anybody can help me? Help you with what? You'll need to be a bit more specific. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 4 servers implementation
From: Guilherme FrancoSent: Wednesday, 30 August 2006 10:05 AMTo: freeradius-users@lists.freeradius.orgSubject: 4 servers implementation Please, anybody can help me? Help you with what? You'll need to be a bit more specific. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Building Freeradius RPM on Redhat ES 4.0
> -Original Message- > I saw this last week building 1.1.3 on RHEL 4.0 ES (Update 3) too. > Was fixed > by just applying the latest patches from Redhat. Appears to > be due to a mismatch between various software levels. With > the latest fixes, it is all OK. > Which patches? Just run Up2date and all should be well? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
4 servers implementation
Please, anybody can help me?Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Building Freeradius RPM on Redhat ES 4.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wednesday, 30 August 2006 9:32 AM, Michael King wrote: > > We're trying to build FreeRADIUS 1.1.3 into a RPM to install on our > RedHat ES 4.0 servers. > > Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 > rpmlib(PayloadFilesHavePrefix) <= 4.0-1 > I saw this last week building 1.1.3 on RHEL 4.0 ES (Update 3) too. Was fixed by just applying the latest patches from Redhat. Appears to be due to a mismatch between various software levels. With the latest fixes, it is all OK. SW -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wkYEARECAAYFAkT00mYACgkQmw4BJyaatJ2u8QCeJJT5LUHn18WfWCFphDftQWwmT5cA nilE8KrgdaQlTLgJLc1/uMf/uInK =CNw3 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Building Freeradius RPM on Redhat ES 4.0
We're trying to build FreeRADIUS 1.1.3 into a RPM to install on our RedHat ES 4.0 servers. Following the directions in the Wiki http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#How_do_I_build_ a_RPM_package_from_sources.3F I get the following error(s) and I've attached the referenced file below. I'm unsure how to fix this... RedHat and RPM is a new environment for me. (I'm more accustomed to Debian) Executing(%doc): /bin/sh -e /var/tmp/rpm-tmp.49148 + umask 022 + cd /home/mking/rpmbuild/BUILD + cd freeradius-1.1.3 + DOCDIR=/var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3 + export DOCDIR + rm -rf /var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3 + /bin/mkdir -p /var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3 + cp -pr suse/README.SuSE /var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3 + cp -pr doc/00-OLD doc/aaa.txt doc/Acct-Type doc/ascend doc/Autz-Type doc/bay doc/bugs doc/ChangeLog doc/cisco doc/coding-methods.txt doc/configurable_failover doc/CYGWIN doc/DIFFS doc/duplicate-users doc/examples doc/ldap_howto.txt doc/load-balance.txt doc/MACOSX doc/Makefile doc/misc-nas doc/module_interface doc/mssql doc/OS2 doc/performance-testing doc/Post-Auth-Type doc/processing_users_file doc/proxy doc/RADIUS-LDAP-eDirectory doc/RADIUS-SQL.schema doc/radrelay doc/README doc/release-method.txt doc/rfc doc/rlm_attr_filter doc/rlm_dbm doc/rlm_digest doc/rlm_eap doc/rlm_fastusers doc/rlm_krb5 doc/rlm_ldap doc/rlm_pam doc/rlm_passwd doc/rlm_python doc/rlm_sim_triplets doc/rlm_sql doc/rlm_sqlcounter doc/rlm_sqlippool doc/Session-Type doc/Simultaneous-Use doc/supervise-radiusd.txt doc/tuning_guide doc/variables.txt LICENSE COPYRIGHT CREDITS README /var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3 cp: will not overwrite just-created `/var/tmp/freeradius-root/usr/share/doc/freeradius-1.1.3/README' with `README' error: Bad exit status from /var/tmp/rpm-tmp.49148 (%doc) Processing files: freeradius-debuginfo-1.1.3-0 Provides: libeap-1.1.3.so.debug libradius-1.1.3.so.debug rlm_acct_unique-1.1.3.so.debug rlm_always-1.1.3.so.debug rlm_attr_filter-1.1.3.so.debug rlm_attr_rewrite-1.1.3.so.debug rlm_chap-1.1.3.so.debug rlm_checkval-1.1.3.so.debug rlm_counter-1.1.3.so.debug rlm_dbm-1.1.3.so.debug rlm_detail-1.1.3.so.debug rlm_digest-1.1.3.so.debug rlm_eap-1.1.3.so.debug rlm_eap_gtc-1.1.3.so.debug rlm_eap_leap-1.1.3.so.debug rlm_eap_md5-1.1.3.so.debug rlm_eap_mschapv2-1.1.3.so.debug rlm_eap_peap-1.1.3.so.debug rlm_eap_sim-1.1.3.so.debug rlm_eap_tls-1.1.3.so.debug rlm_eap_ttls-1.1.3.so.debug rlm_exec-1.1.3.so.debug rlm_expr-1.1.3.so.debug rlm_fastusers-1.1.3.so.debug rlm_files-1.1.3.so.debug rlm_ippool-1.1.3.so.debug rlm_krb5-1.1.3.so.debug rlm_ldap-1.1.3.so.debug rlm_mschap-1.1.3.so.debug rlm_ns_mta_md5-1.1.3.so.debug rlm_otp-1.1.3.so.debug rlm_pam-1.1.3.so.debug rlm_pap-1.1.3.so.debug rlm_passwd-1.1.3.so.debug rlm_perl-1.1.3.so.debug rlm_preprocess-1.1.3.so.debug rlm_radutmp-1.1.3.so.debug rlm_realm-1.1.3.so.debug rlm_sql-1.1.3.so.debug rlm_sql_log-1.1.3.so.debug rlm_sqlcounter-1.1.3.so.debug rlm_unix-1.1.3.so.debug Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 RPM build errors: Bad exit status from /var/tmp/rpm-tmp.49148 (%doc) Here's the contents of that file. [EMAIL PROTECTED] SPECS]$ more /var/tmp/rpm-tmp.49148 #!/bin/sh RPM_SOURCE_DIR="/home/mking/rpmbuild/SOURCES" RPM_BUILD_DIR="/home/mking/rpmbuild/BUILD" RPM_OPT_FLAGS="-O2 -g -pipe -m32 -march=i386 -mtune=pentium4" RPM_ARCH="i386" RPM_OS="linux" export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS RPM_DOC_DIR="/usr/share/doc" export RPM_DOC_DIR RPM_PACKAGE_NAME="freeradius" RPM_PACKAGE_VERSION="1.1.3" RPM_PACKAGE_RELEASE="0" export RPM_PACKAGE_NAME RPM_PACKAGE_VERSION RPM_PACKAGE_RELEASE RPM_BUILD_ROOT="/var/tmp/freeradius-root" export RPM_BUILD_ROOT set -x umask 022 cd /home/mking/rpmbuild/BUILD cd freeradius-1.1.3 DOCDIR=$RPM_BUILD_ROOT/usr/share/doc/freeradius-1.1.3 export DOCDIR rm -rf $DOCDIR /bin/mkdir -p $DOCDIR cp -pr suse/README.SuSE $DOCDIR cp -pr doc/* LICENSE COPYRIGHT CREDITS README $DOCDIR cp -pr doc/examples/* $DOCDIR cp -pr scripts/create-users.pl scripts/CA.* scripts/certs.sh $DOCDIR cp -pr scripts/users2mysql.pl scripts/xpextensions $DOCDIR cp -pr scripts/cryptpasswd scripts/exec-program-wait scripts/radiusd2ldif.pl $DOCDIR exit 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WebDAV HTTP Auth to RADIUS, possible?
Is it possible to set up an Apache 1.3 server with WebDAV to authenticate to a freeRADIUS? Ideally, I would like to tell the Apache directives to look at freeRADIUS for authentication using the httpd.conf file. Has anyone ever done this or able to point me in a direction? Is it even possible? We're using freeRadius 1.1.0 on OSX.4, successfully authenticatiing off an Active Directory master. Thanks in advance, Michael Check - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot compile and run on Mac OS X 10.4.7
On 8/22/06, Michael Check <[EMAIL PROTECTED]> wrote: We tried googling around and we're happy to hear that freeradius will be a part of 10.5, but we'd like to get it running now... There really is no other docs we've found on getting it compiled (after difficulty like the above) and installed. Certainly nothing recent anyway. Is it true that it _should_ just work? :) Thanks in advance for any assistance, This is issue is not really solved, I didn't get it to compile, but I thought those of you that are looking for a solution to run freeRADIUS on OSX should look to the package installer that I found. It is quite recent (version 1.1.0pre0) and runs great. The company has a neat prodcut for managing the scripts that you should look at, too. Here is the url: http://www.carpestellarem.com Thanks, Michael Check - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter
On 8/29/06, Fabiano Martins <[EMAIL PROTECTED]> wrote: I've benn searching with no sucess about this... It's frustrating... there is no documents about. Perhaps the looking into the very obscure doc/rlm_sqlcounter file helps, although it' not "DOC" for some strange reason. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit Login Attempt
fvt3 wrote: How do you prevent a user from authenticating after three unsucessful attempts in freeradius. I am In short, you can't. There is very little (nothing?) you can do to prevent someone from attempting to authenticate. Is this behaviour causing you particular problems though? Load issues on your RADIUS server or other infrastructure? Our ISP has a system that attempts to control this behaviour though. It tracks the login attempts from each Calling-Station-Id. If the rate of failed attempts goes over a certain threshold then the user will actually be accepted for a 15 minute session, but restricted to a captive portal which presents a web page with troubleshooting tips. This may help remove some of the load from your RADIUS servers at the expense of tying up ports on your NAS. There's still nothing you can do though if the modem just disconnects and tries to reconnect again. currently having this issue where a mac adress is constantly trying to authenticate after getting login incorrect. Any help is appreciated.. Thanks in advance ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting
On 8/30/06, Alan DeKok <[EMAIL PROTECTED]> wrote:
"Pshem Kowalczyk" <[EMAIL PROTECTED]> wrote:
> > > $RAD_REQUEST{'User-Name'} = 'testuser';
> >
> > You're re-writing the request packet (i.e. the one from the NAS),
> > not the packet that's about to be sent to the home server.
> >
> > Try: $RAD_PROXY_REQUEST{'User-Name'} = 'testuser';
>
> I added:
> use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK %RAD_PROXY_REQUEST);
>
> and it didn't work, change resulted in the following debug:
That isn't what I said to do.
Are you going to follow my recommendations?
You're right, that what happens when I do to many things at once.
Regarding the post-proxy - I checked the rlm_perl code and the
post-proxy packet should be referenced as RAD_REQUEST_PROXY_REPLY not
simply RAD_REPLY, after discovering that - everything works flawlessly
Sorry for the trouble and thx for the great work :-)
kind regards
pshemko
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting
"Pshem Kowalczyk" <[EMAIL PROTECTED]> wrote:
> > > $RAD_REQUEST{'User-Name'} = 'testuser';
> >
> > You're re-writing the request packet (i.e. the one from the NAS),
> > not the packet that's about to be sent to the home server.
> >
> > Try: $RAD_PROXY_REQUEST{'User-Name'} = 'testuser';
>
> I added:
> use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK %RAD_PROXY_REQUEST);
>
> and it didn't work, change resulted in the following debug:
That isn't what I said to do.
Are you going to follow my recommendations?
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting
On 8/29/06, Alan DeKok <[EMAIL PROTECTED]> wrote:
"Pshem Kowalczyk" <[EMAIL PROTECTED]> wrote:
> So I've compiled the source and gave it a try, but it behaved exactly
> as the stable version - didn't replace nor removed any attributes. Is
> this supposed to work?
> I tested the pre and post proxy methods:
...
> # Function to handle pre_proxy
> sub pre_proxy {
>
> &radiusd::radlog(1, "entering pre-proxy");
>
> $RAD_REQUEST{'User-Name'} = 'testuser';
You're re-writing the request packet (i.e. the one from the NAS),
not the packet that's about to be sent to the home server.
Try: $RAD_PROXY_REQUEST{'User-Name'} = 'testuser';
I added:
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK %RAD_PROXY_REQUEST);
and it didn't work, change resulted in the following debug:
rad_recv: Access-Request packet from host 127.0.0.1 port 32787, id=15, length=62
User-Password = "test"
User-Name = "test"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-IP-Address = a.b.c.d
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
perl_pool: item 0x8201620 asigned new request. Handled so far: 1
found interpetator at address 0x8201620
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair User-Name = test
rlm_perl: Added pair User-Password = test
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair NAS-IP-Address = a.b.c.d
rlm_perl: Added pair Proxy-To-Realm = quik
rlm_perl: Added pair Stripped-User-Name = test
perl_pool total/active/spare [2/0/2]
Unreserve perl at address 0x8201620
modcall: group authorize returns ok for request 0
Processing the pre-proxy section of radiusd.conf
modcall: entering group pre-proxy for request 0
perl_pool: item 0x840f8c8 asigned new request. Handled so far: 1
found interpetator at address 0x840f8c8
rlm_perl: entering pre-proxy
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair User-Name = test
rlm_perl: Added pair User-Password = test
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Realm = quik
rlm_perl: Added pair NAS-IP-Address = a.b.c.d
rlm_perl: Added pair Stripped-User-Name = test
rlm_perl: Added pair Proxy-To-Realm = quik
rlm_perl: Added pair Framed-Protocol = PPP
rlm_perl: Added pair User-Name = test
rlm_perl: Added pair User-Password = test
rlm_perl: Added pair Proxy-State = 0x3135
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Realm = quik
rlm_perl: Added pair NAS-IP-Address = a.b.c.d
perl_pool total/active/spare [2/0/2]
Unreserve perl at address 0x840f8c8
modcall: group pre-proxy returns ok for request 0
Sending Access-Request of id 22 to x.y.z.103 port 1812
Framed-Protocol = PPP
User-Name = "test"
User-Password = "test"
Proxy-State = 0x3135
Service-Type = Framed-User
NAS-IP-Address = a.b.c.d
So this time the new value of User-Name ('testuser') doesn't even show
in the debug.
> # Function to handle post_proxy
> sub post_proxy {
>
> &radiusd::radlog(1, "entering post-proxy");
> $RAD_REPLY{'Framed-IP-Address'} = '10.10.1.1';
That works. The debug log you posted shows that in the reply.
Well, yes it works, but it didn't replace the original value:
Sending Access-Accept of id 96 to 127.0.0.1 port 32785
Framed-IP-Address = 10.10.1.1
Framed-IP-Address = 192.168.1.65
So now I have two, which confuses the NAS. I tried to remove whole key
from the hash using the 'delete' function and add it afterwards, but
it didn't seem to work. It looks like the original attributes are
added anyway after the results from rlm_perl (version 1.37)
In our situation we have to have control over the IPs send to the NASes.
Thx for all the hints
pshemko
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL : where is db_mysql.sql from FreeRadius ?
Bruno, In my version Freeradius 1.1.1 the mentioned file is located in /usr/share/doc/freeradius/examples/db_mysql.sql.gz Unpack the .gz file and the .sql file with querys to create the freeradius database will be ready to use. Regards Fabiano Bruno Costacurta wrote: Hello, as I'm trying to configure FreeRadius to use MySQL, I downloaded v1.1.3 but I cannot find file 'db_mysql.sql' (use to create needed tables) in related directory src/modules/rlm_sql/drivers/rlm_sql_mysql/ as it is mentionned in the doc. Where can I find db_mysql.sql ? Thanks. Bye, Bruno - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlcounter
Hi All!! I would like to know if someone knows some DOC about sqlcounter implementation. I've benn searching with no sucess about this... It's frustrating... there is no documents about. I'm trying to put it to run on my freeradius server... If someone knows how to give me some hint, it will be welcome! Regards, Fabiano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL : where is db_mysql.sql from FreeRadius ?
Hi, > as I'm trying to configure FreeRadius to use MySQL, I downloaded v1.1.3 but I > cannot find file 'db_mysql.sql' (use to create needed tables) in related > directory src/modules/rlm_sql/drivers/rlm_sql_mysql/ as it is mentionned in > the doc. the document is out of date and the .sql file has been moved, this question is answered multiple times in the users mailing list - so an archive search would have been fruitful. go to the following location: freeradius-1.1.3/doc/examples it was deemed to be far more useful to have the SQL schemas in a clearer directory than in a deeply rooted part of the source code hierarchy alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and SNMP
On Tuesday 29 August 2006 07:25, Michael Schwartzkopff wrote: > I recompiled the latest version (1.1.3) explicitly telling configure > --with-snmp and everything seems to be ok. Debug output from radius: Looks like everything should work fine based on the output. > Now: > > snmpwalk (...) mib-2.67 gives good results, but > snmpwalk (...) enterprises.3317 gives nothing. > > Reading the MIBs in mibs/ there are only the descriptions of mib-2.67, > nothing about 3317. Is this OK or am I missing something? mib-2.67 is what you care about. You can load the mib files from the mibs/ directory to see useful names, or read the chart files to see what each OID value represents. The private enterprise number 3317 is assigned by IANA [1] to "Port Community Rotterdam", which released the GNOME-SMI MIB module. The GNOME-SMI MIB is used in mibs/GNOME-PRODUCT-RADIUSD-MIB, and using that file you can obtain a full object name for the enterprises.3317.1.3.1 OID. It's only use right now is for the SMUX connection, but may also be needed if/when AgentX support is added. Kevin Bonner [1] http://www.iana.org/assignments/enterprise-numbers pgpQsPZyshDsS.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Limit Login Attempt
Hi all, How do you prevent a user from authenticating after three unsucessful attempts in freeradius. I am currently having this issue where a mac adress is constantly trying to authenticate after getting login incorrect. Any help is appreciated.. Thanks in advance ... __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
On 8/29/06, Tilen <[EMAIL PROTECTED]> wrote: So here comes something really weird: Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:3072, id=0, length=147 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "00401013" Calling-Station-Id = "000e3557c74e" NAS-Identifier = "00401013" NAS-Port = 30 Framed-MTU = 1400 State = 0x123b5c7e213692f7121dbe4052274024 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02020011198715030100020230 Message-Authenticator = 0xd65ea4a0e55f28c1e76a6b51f9ec9467 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 That's a tls1.0 Alert message the part "1503...". Therefore the openssl lib bails out of further processing as specified in RFC2246. Thats (arguably somewhat hard to understand) also mentioned int the output: 3447:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48 3447:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837: So your client wasn't able to fiind a correct CA certificate for the cert freeradius had sent before. Please see to provide those. If in doubt, check with dummy ones to be created by CA.all script. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL : where is db_mysql.sql from FreeRadius ?
Hello, as I'm trying to configure FreeRadius to use MySQL, I downloaded v1.1.3 but I cannot find file 'db_mysql.sql' (use to create needed tables) in related directory src/modules/rlm_sql/drivers/rlm_sql_mysql/ as it is mentionned in the doc. Where can I find db_mysql.sql ? Thanks. Bye, Bruno - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxing NAS-Port-Id
Hi all, could you help me? I am using freeradius version 1.0.2. There is some possibilities, how to do proxing based on attribute Nas-Port-Id (no only based on realm)? Thanks Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: issue with attribute 97 from rfc3162 in users file
Hi,
> /usr/local/etc/raddb/users[227]: Parse error (reply) for entry
> hextest: unknown attribute type 8
> Errors reading /usr/local/etc/raddb/users
thsi works with the 2.0pre CVS code.. so theres something not quite right
in the 1.1.3 code. and yes, theres no IPV6PREFIX handler in valuepair.c
or in the print debugger or full handling in radius.c
FreeRADIUS Version 2.0.0-pre0
dict.c: { "ipv6prefix", PW_TYPE_IPV6PREFIX },
print.c:case PW_TYPE_IPV6PREFIX:
radius.c: case PW_TYPE_IPV6PREFIX:
radius.c: case PW_TYPE_IPV6PREFIX:
radius.c: case PW_TYPE_IPV6PREFIX:
radius.c: case PW_TYPE_IPV6PREFIX:
valuepair.c:case PW_TYPE_IPV6PREFIX:
valuepair.c:case PW_TYPE_IPV6PREFIX:
valuepair.c:case PW_TYPE_IPV6PREFIX:
FreeRADIUS Version 1.1.3
dict.c: { "ipv6prefix", PW_TYPE_IPV6PREFIX },
radius.c: case PW_TYPE_IPV6PREFIX:
radius.c: case PW_TYPE_IPV6PREFIX:
so thats why it isnt working for you
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication
reeradius-1.1.3/etc/raddb/ldap.attrmap
rlm_ldap: LDAP isaccountenabled mapped to RADIUS Account-Enabled
rlm_ldap: LDAP remotepassword mapped to RADIUS User-Password
rlm_ldap: LDAP accesslist mapped to RADIUS Access-List
rlm_ldap: LDAP remotegroup mapped to RADIUS Class
conns: bd508
Module: Instantiated ldap (ldap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/freeradius-1.1.3/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/freeradius-1.1.3/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile =
"/usr/local/freeradius-1.1.3/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded files
files: usersfile = "/usr/local/freeradius-1.1.3/etc/raddb/users"
files: acctusersfile = "/usr/local/freeradius-1.1.3/etc/raddb/acct_users"
files: preproxy_usersfile =
"/usr/local/freeradius-1.1.3/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
detail: detailfile =
"/usr/local/freeradius-1.1.3/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/freeradius-1.1.3/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = "/usr/local/freeradius-1.1.3/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Listening on authentication *:1815
Listening on accounting *:1816
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:43455, id=50, length=60
User-Name = "testuser"
User-Password = "TESTpwd"
NAS-IP-Address = 255.255.255.255
NAS-Port = 35000
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
radius_xlat: '/usr/local/freeradius/etc/scripts/mycompany_wireless.atz
testuser'
Exec-Program: /usr/local/freeradius/etc/scripts/mycompany_wireless.atz testuser
Exec-Program output:
Exec-Program: returned: 0
modcall[authorize]: module "mycompany_wireless" returns ok for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/freeradius-1.1.3/var/log/radius/radacct/127.0.0.1/auth-detail-20060829'
rlm_detail:
/usr/local/freeradius-1.1.3/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/freeradius-1.1.3/var/log/radius/radacct/127.0.0.1/auth-detail-20060829
modcall[authorize]: module "auth_log" returns ok for request 0
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat: '(&(uid=testuser)(isaccountenabled=true))'
radius_xlat: 'o=mycompany'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldapvip.co.mycompany.com:389, authentication 0
rlm_ldap: bind as appl=VPN Radius Server, ou=applications, o=mycompany/FRRADpw
to ldapvip.co.mycompany.com:389
rlm_ldap: waiting for bind result
Re: EAP-TLS multi clients
On 8/29/06, Lazzarini Matteo <[EMAIL PROTECTED]> wrote: First of all I excuseme for my English. :-( Ah no problem, after it got sorted out. itself correctly to the wlan, authenticated from freeradius whit eap-tls. Now therefore not there are more problems for that it regards the authentication. Grats. So it was just my pessimism to suppose there are still issues. The CA.all script generates me only 1 server, 1 client and 1 root Hm. Ok, those are just provided to be able to check the freeradius setup with respect to eap et al., they are not meant to be a production CA. So I'd suggest looking at openssl.org for further information (looking at the scripts might give you some starting point though). Basically you are to issue (unique) client certs (modelled to the one CA.all gave you) to other users either by acting as your own CA or using some commercial CA. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
4 servers implementation
Hello,Currently, I'm trying to implement Freeradius in 2 servers, and it's working.The problem is, I need to use an Oracle database that is in another server. That's quite ok as I've copied the contents of $ORACLE_HOME to the 2 freeradius servers. The other problem is that I need to use Dialup Admin that is installed in another server, totalling 4 servers.In the dialupadmin admin.config, it states thats it needs the /etc/local/radius in the same machine. What can I do?Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Interface binding problem
[EMAIL PROTECTED] wrote: > I'd like to set it up with the commandline switch (-i ), but > this does not seem to work (tested on versions 0.2, 1.0.1 and 1.2): the > server only takes the address from the configuration file and completely > ignores the commandline switch. I do realise that the commandline switch > is deprecated, but is it possible to get this to work somehow? You may try a nightly CVS snapshot. I think the -i and -p options are fixed in CVS. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Interface binding problem
On Tue 29 Aug 2006 18:40, [EMAIL PROTECTED] wrote: > Hello, > > I'm trying to setup FreeRADIUS in a testing setup where the IP address > to which it binds needs to be set. The RADIUS server is loaded on-demand > on a number of machines, where almost all configuration is the same, > except for the IP address to which it needs to listen. > > Normally this would be setup in the configuration file, but this means > that either I can't have a centralized configuration file (which makes > things very complicated, as I'm trying to provide a standard service in > an experimental environment), or the configuration file needs to be > changed before every FreeRADIUS startup, which also is very inconvenient. > > I'd like to set it up with the commandline switch (-i ), but > this does not seem to work (tested on versions 0.2, 1.0.1 and 1.2): the > server only takes the address from the configuration file and completely > ignores the commandline switch. I do realise that the commandline switch > is deprecated, but is it possible to get this to work somehow? Firstly, you can always include a file with local config details. I believe that will solve your problem. Secondly, the command line switch should work I believe. If it doesn't we needs to look at it :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpdqYDXbBRnU.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Interface binding problem
Hello, I'm trying to setup FreeRADIUS in a testing setup where the IP address to which it binds needs to be set. The RADIUS server is loaded on-demand on a number of machines, where almost all configuration is the same, except for the IP address to which it needs to listen. Normally this would be setup in the configuration file, but this means that either I can't have a centralized configuration file (which makes things very complicated, as I'm trying to provide a standard service in an experimental environment), or the configuration file needs to be changed before every FreeRADIUS startup, which also is very inconvenient. I'd like to set it up with the commandline switch (-i ), but this does not seem to work (tested on versions 0.2, 1.0.1 and 1.2): the server only takes the address from the configuration file and completely ignores the commandline switch. I do realise that the commandline switch is deprecated, but is it possible to get this to work somehow? Kind regards, Marcel de Boer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS multi clients
Title: EAP-TLS multi clients OK. First of all I excuseme for my English. :-( The scripts about which I speak they are those inside of the "scripts" directory of freeradius sources. (CA.all) I use the client's certificate (cert-clt.p12) for my user who connects itself correctly to the wlan, authenticated from freeradius whit eap-tls. Now therefore not there are more problems for that it regards the authentication. There is a way to obtain more certs for others clients of the wlan (multi-clients). The CA.all script generates me only 1 server, 1 client and 1 root Thanks -Messaggio originale- Da: [EMAIL PROTECTED] per conto di K. Hoercher Inviato: mar 29/08/2006 14.51 A: FreeRadius users mailing list Oggetto: Re: EAP-TLS multi clients On 8/29/06, Lazzarini Matteo <[EMAIL PROTECTED]> wrote: > I have used three scripts to generate certs root, server and client (with > xpextension). > They exist of the certs for multi clients to use for eap-tls? Hi, Which scripts? I'm not sure what your last sentence means. Afaik you should give out one (client) certificate per user. Whats the debugging output? Supposing it's the *same* problem as with your previous tests regarding eap-peap/mschapv2 did you check for the hint Alan gave? Furthermore the whole range suggested in <[EMAIL PROTECTED]> might be useful. (regarding #1, please see http://lists.shmoo.com/pipermail/hostap/2006-July/013673.html ). While perhaps being the most cumbersome, a full capture like suggested might be also most instructive. The nas log you showed in <[EMAIL PROTECTED]> sadly isn't very concise. But as it somehow mentiones an EAP-Response with your desired username, it would be good to know if/when/how it sends those out to freeradius, as they seem to get lost. So capturing the traffic between nas and freeradius would be a good idea also. If that doesn't give yourself any clues, I'd suggest providing url's where to download those informations. Please don't try to put some digested information into an line mangling mua or an eventually similar way of making it unnecessary hard to look into it for those trying to help. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: issue with attribute 97 from rfc3162 in users file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Alan DeKok wrote: > Christian Hahn <[EMAIL PROTECTED]> wrote: >> hextest Auth-Type := Local, User-Password == "secret" >> Service-Type = Framed-User, >> NAS-IP-Address = xx.xx.xx.xx, >> Framed-IPv6-Prefix = 2001:db8::::/64, > > The value for the prefix should be in quotes. The parser for the > "users" file is pretty simple. I just tried this but unfortunatly it changed nothing, the server still stops with the same error: Parse error (reply) for entry hextest: unknown attribute type 8 Errors reading /usr/local/etc/raddb/users If I comment out the IPv6 prefix line it works and delivers also all other rfc3162 attributes if configured in the users file. In the dictionaries I found the data type ipv6prefix only used in the rfc3162 dictionary. Are there any successful test known for this data type and freeradius? best regards, Christian Hahn > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE9F4n6kMW7HW8620RArIJAJ9W2GNC6xft0IkaEwk4puh+R6XaiACglGQW PnLKVsrUtRpygDZYu2W2U38= =yuGr -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: issue with attribute 97 from rfc3162 in users file
Christian Hahn <[EMAIL PROTECTED]> wrote: > hextest Auth-Type := Local, User-Password == "secret" > Service-Type = Framed-User, > NAS-IP-Address = xx.xx.xx.xx, > Framed-IPv6-Prefix = 2001:db8::::/64, The value for the prefix should be in quotes. The parser for the "users" file is pretty simple. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ip Pool group assignment
"Giuseppina Venezia" <[EMAIL PROTECTED]> wrote: > Alan, excuse me for a question, I have read documentation but i think > that it's impossible to do it with chillispot, it's real? There isn't > opensource NAS that can do it? No idea, sorry. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: EAP-TLS multi clients
OK. First of all I make excuses myself for my little precise English. :-( The scripts about which I speak they are those inside of the "scripts" directory of freeradius sources. (CA.all) I use the client's certificate (cert-clt.p12) for my user who connects itself correctly to the wlan, authenticated from freeradius whit eap-tls. Now therefore not there are more problems for that it regards the authentication. What I wanted to know is if there is a way in order to obtain more certs for others client of the wlan. The CA.all script generates me only 1 server, 1 client and 1 root Thanks -Messaggio originale- Da: [EMAIL PROTECTED] per conto di K. Hoercher Inviato: mar 29/08/2006 14.51 A: FreeRadius users mailing list Oggetto: Re: EAP-TLS multi clients On 8/29/06, Lazzarini Matteo <[EMAIL PROTECTED]> wrote: > I have used three scripts to generate certs root, server and client (with > xpextension). > They exist of the certs for multi clients to use for eap-tls? Hi, Which scripts? I'm not sure what your last sentence means. Afaik you should give out one (client) certificate per user. Whats the debugging output? Supposing it's the *same* problem as with your previous tests regarding eap-peap/mschapv2 did you check for the hint Alan gave? Furthermore the whole range suggested in <[EMAIL PROTECTED]> might be useful. (regarding #1, please see http://lists.shmoo.com/pipermail/hostap/2006-July/013673.html ). While perhaps being the most cumbersome, a full capture like suggested might be also most instructive. The nas log you showed in <[EMAIL PROTECTED]> sadly isn't very concise. But as it somehow mentiones an EAP-Response with your desired username, it would be good to know if/when/how it sends those out to freeradius, as they seem to get lost. So capturing the traffic between nas and freeradius would be a good idea also. If that doesn't give yourself any clues, I'd suggest providing url's where to download those informations. Please don't try to put some digested information into an line mangling mua or an eventually similar way of making it unnecessary hard to look into it for those trying to help. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_sqlippool
Hi Peter, Well the databse is configured, and I made some tests and it's working. But what I need to know is what changes should I do in the radiusd.conf file and especially in the users file, to oblige the users to use the authentication from the database not locally. Secondly, what is the entry that declares the ip pool in the database? Is it framed-pool? Thanks Peter. Elie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Nixon Sent: Monday, August 28, 2006 4:53 PM To: FreeRadius users mailing list Subject: Re: rlm_sqlippool Hi Elie My instructions assume that you already know how to setup rlm_sql. If you do not, you first need to read doc/rlm_sql Alternatively you can read the wiki: http://wiki.freeradius.org/index.php/Rlm_sql Regards Peter On Mon 28 Aug 2006 18:04, Elie Hani wrote: > Hi; > > I was reading this email, and I've followed the steps. > I have created the postgresql database, but what should I do to make the > radius get the authentication from the postgresql database? And where > should I add the configuration if I want to declare the username and the > password in the database, and what changes should I do in the radiusd.conf > and the users file? > > Thanks > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Peter Nixon > Sent: Sunday, August 27, 2006 5:05 PM > To: Chris Knipe; FreeRadius users mailing list > Subject: Re: rlm_sqlippool > > On Sat 26 Aug 2006 23:09, Chris Knipe wrote: > > Hi, > > > > I know this is new, and not yet documented, but I saw some good posts > > about > > > it being stable, so I'm looking at implementing it at the moment... But > > alas, I'm confused and the lack of documentation is not helping. > > > > doc/rlm_sqlippool states: > > The only required fields are, pool_name and ip_address. A pool consists > > of one or more rows in the table with the same pool_name and a different > > ip_address. The is no restriction on which ip addresses/ranges may be in > > the same pool, and addresses do not need to be concurrent. > > > > Yet, raddb/sqlippool.conf, makes absolutely NO sense to me at the moment > > at > > > all, and there is WAY more than merely a pool name and a IP address > > referenced in the queries... I understand that there is some unique > > elements required in the table to indicate that a IP is allocated, and to > > know where the IP is allocated (and obviously to release that IP once the > > session terminates). > > it is really not that complex :-) As the docs state put one or more records > in > the tabe with a pool_name and ip_address and then use the pool_name the > same > > way you do with the standard ippool module. Thats it. > > > Can someone perhaps please just take a moment to explain what exactly is > > going on in those queries?? I'm not referring to the SQL as such, but > > rather as to what is updated, and why. A table structure accompanying > > those queries in sqlippool.conf may help significantly as well, as I'm > > guessing at the moment what needs to go where :( > > The table structure is in the same file as all the rest of the database > schema > at doc/examples/postgresql.sql > > For reference it is: > > CREATE TABLE radippool ( > id BIGSERIAL PRIMARY KEY, > pool_name text NOT NULL, > FramedIPAddress INET, > NASIPAddresstext NOT NULL, > CalledStationId VARCHAR(64), > CallingStationIdtext DEFAULT ''::text NOT NULL, > expiry_time TIMESTAMP(0) without time zone NOT NULL, > usernametext DEFAULT ''::text, > pool_keyVARCHAR(30) NOT NULL > ); > > I have only tested this with Postgresql, although I will probably be > testing > > on Oracle at some point. If you want to test it on some other database you > are welcome. Please report the results :-) > > Regards -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple registers in my DB with the same information
On Tue 29 Aug 2006 15:52, Santiago Balaguer García wrote: > Hi people, > > I use freeradius 1.1.0 in a debian servers for several years. Now I use my > radius server more than before. So in my DB it appears some strange > duplicate registers which have the same inforrmation. > > I show a snapshoot with an account where the problem happens: > > radacctid|acctsessionid|acctuniqueid|username|realm|nasipaddress|nasportid| >nasporttype|acctstarttime|acctstoptime|acctsessiontime|acctauthentic|connect >info_start|connectinfo_stop|acctinputoctets|acctoutputoctets|calledstationid >|callingstationid|acctterminatecause|servicetype|framedprotocol|framedipaddr >ess|acctstartdelay|acctstopdelay > 153270|A201|9c4661a9f1471d42|aabo6098||172.19.242.50|0|Async|2006-07-26 > 14:40:59.614916+02|2006-07-26 > 17:20:52.812241+02|8243264229589|18168071|00-50-E8-02-42-FB|00-13-02-1D >-12-58|Session-Timeout|||10.5.0.129|0|0 > 153395|A201|9c4661a9f1471d42|aabo6098||172.19.242.50|0|Async|2006-07-26 > 15:03:29.945729+02|2006-07-26 > 17:20:52.945729+02|8243264229589|18168071|00-50-E8-02-42-FB|00-13-02-1D >-12-58|Session-Timeout|||10.5.0.129||16 > 153392|A201|9c4661a9f1471d42|aabo6098||172.19.242.50|0|Async|2006-07-26 > 15:03:29.902309+02|2006-07-26 > 17:20:52.902309+02|8243264229589|18168071|00-50-E8-02-42-FB|00-13-02-1D >-12-58|Session-Timeout|||10.5.0.129||4 > 153393|A201|9c4661a9f1471d42|aabo6098||172.19.242.50|0|Async|2006-07-26 > 15:03:29.929558+02|2006-07-26 > 17:20:52.929558+02|8243264229589|18168071|00-50-E8-02-42-FB|00-13-02-1D >-12-58|Session-Timeout|||10.5.0.129||8 > 153394|A201|9c4661a9f1471d42|aabo6098||172.19.242.50|0|Async|2006-07-26 > 15:03:29.966051+02|2006-07-26 > 17:20:52.966051+02|8243264229589|18168071|00-50-E8-02-42-FB|00-13-02-1D >-12-58|Session-Timeout|||10.5.0.129||12 > 153396|A201|9c4661a9f1471d42|aabo6098||172.19.242.50|0|Async|2006-07-26 > 15:03:29.983671+02|2006-07-26 > 17:20:52.983671+02|8243264229589|18168071|00-50-E8-02-42-FB|00-13-02-1D >-12-58|Session-Timeout|||10.5.0.129||20 > 153397|A201|9c4661a9f1471d42|aabo6098||172.19.242.50|0|Async|2006-07-26 > 15:03:30.019645+02|2006-07-26 > 17:20:53.019645+02|8243264229589|18168071|00-50-E8-02-42-FB|00-13-02-1D >-12-58|Session-Timeout|||10.5.0.129||24 > 153398|A201|9c4661a9f1471d42|aabo6098||172.19.242.50|0|Async|2006-07-26 > 15:03:30.047495+02|2006-07-26 > 17:20:53.047495+02|8243264229589|18168071|00-50-E8-02-42-FB|00-13-02-1D >-12-58|Session-Timeout|||10.5.0.129||28 > 153401|A201|9c4661a9f1471d42|aabo6098||172.19.242.50|0|Async|2006-07-26 > 15:03:29.204327+02|2006-07-26 > 17:20:52.204327+02|8243264229589|18168071|00-50-E8-02-42-FB|00-13-02-1D >-12-58|Session-Timeout|||10.5.0.129||88 > - > I attach this info in a file <> > > As you can realize the last integer after the IP is acctstopdely. this > values are 0, 4, 8, 12, 16, 20, 24, 28, 88. It is not usual this atribute > was upper than 1. My request timeout is 4 secs. Well, this situation is > very important because I have a ttriger to decrease the credit of this > account. Moreover, the time which this account spent is NOT real. > > What I don't know if the problem is in my NAS or there is a mistake in my > freeradius configuration. > Any sugestion?? It appears your database is not keeping up with the load, so when the NAS doesn't receive an answer in time it resends the request. Alternatively it could be caused by a network problem between radius and the NAS. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpBRLnT4jyoW.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple registers in my DB with the same information
Hi people, I use freeradius 1.1.0 in a debian servers for several years. Now I use my radius server more than before. So in my DB it appears some strange duplicate registers which have the same inforrmation. I show a snapshoot with an account where the problem happens: radacctid|acctsessionid|acctuniqueid|username|realm|nasipaddress|nasportid|nasporttype|acctstarttime|acctstoptime|acctsessiontime|acctauthentic|connectinfo_start|connectinfo_stop|acctinputoctets|acctoutputoctets|calledstationid|callingstationid|acctterminatecause|servicetype|framedprotocol|framedipaddress|acctstartdelay|acctstopdelay 153270|A201|9c4661a9f1471d42|aabo6098||172.19.242.50|0|Async|2006-07-26 14:40:59.614916+02|2006-07-26 17:20:52.812241+02|8243264229589|18168071|00-50-E8-02-42-FB|00-13-02-1D-12-58|Session-Timeout|||10.5.0.129|0|0 153395|A201|9c4661a9f1471d42|aabo6098||172.19.242.50|0|Async|2006-07-26 15:03:29.945729+02|2006-07-26 17:20:52.945729+02|8243264229589|18168071|00-50-E8-02-42-FB|00-13-02-1D-12-58|Session-Timeout|||10.5.0.129||16 153392|A201|9c4661a9f1471d42|aabo6098||172.19.242.50|0|Async|2006-07-26 15:03:29.902309+02|2006-07-26 17:20:52.902309+02|8243264229589|18168071|00-50-E8-02-42-FB|00-13-02-1D-12-58|Session-Timeout|||10.5.0.129||4 153393|A201|9c4661a9f1471d42|aabo6098||172.19.242.50|0|Async|2006-07-26 15:03:29.929558+02|2006-07-26 17:20:52.929558+02|8243264229589|18168071|00-50-E8-02-42-FB|00-13-02-1D-12-58|Session-Timeout|||10.5.0.129||8 153394|A201|9c4661a9f1471d42|aabo6098||172.19.242.50|0|Async|2006-07-26 15:03:29.966051+02|2006-07-26 17:20:52.966051+02|8243264229589|18168071|00-50-E8-02-42-FB|00-13-02-1D-12-58|Session-Timeout|||10.5.0.129||12 153396|A201|9c4661a9f1471d42|aabo6098||172.19.242.50|0|Async|2006-07-26 15:03:29.983671+02|2006-07-26 17:20:52.983671+02|8243264229589|18168071|00-50-E8-02-42-FB|00-13-02-1D-12-58|Session-Timeout|||10.5.0.129||20 153397|A201|9c4661a9f1471d42|aabo6098||172.19.242.50|0|Async|2006-07-26 15:03:30.019645+02|2006-07-26 17:20:53.019645+02|8243264229589|18168071|00-50-E8-02-42-FB|00-13-02-1D-12-58|Session-Timeout|||10.5.0.129||24 153398|A201|9c4661a9f1471d42|aabo6098||172.19.242.50|0|Async|2006-07-26 15:03:30.047495+02|2006-07-26 17:20:53.047495+02|8243264229589|18168071|00-50-E8-02-42-FB|00-13-02-1D-12-58|Session-Timeout|||10.5.0.129||28 153401|A201|9c4661a9f1471d42|aabo6098||172.19.242.50|0|Async|2006-07-26 15:03:29.204327+02|2006-07-26 17:20:52.204327+02|8243264229589|18168071|00-50-E8-02-42-FB|00-13-02-1D-12-58|Session-Timeout|||10.5.0.129||88 - I attach this info in a file <> As you can realize the last integer after the IP is acctstopdely. this values are 0, 4, 8, 12, 16, 20, 24, 28, 88. It is not usual this atribute was upper than 1. My request timeout is 4 secs. Well, this situation is very important because I have a ttriger to decrease the credit of this account. Moreover, the time which this account spent is NOT real. What I don't know if the problem is in my NAS or there is a mistake in my freeradius configuration. Any sugestion?? _ Acepta el reto MSN Premium: Correos más divertidos con fotos y textos increíbles en MSN Premium. Descárgalo y pruébalo 2 meses gratis. http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_correosmasdivertidos registro.csv Description: MS-Excel spreadsheet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS multi clients
On 8/29/06, Lazzarini Matteo <[EMAIL PROTECTED]> wrote: I have used three scripts to generate certs root, server and client (with xpextension). They exist of the certs for multi clients to use for eap-tls? Hi, Which scripts? I'm not sure what your last sentence means. Afaik you should give out one (client) certificate per user. Whats the debugging output? Supposing it's the *same* problem as with your previous tests regarding eap-peap/mschapv2 did you check for the hint Alan gave? Furthermore the whole range suggested in <[EMAIL PROTECTED]> might be useful. (regarding #1, please see http://lists.shmoo.com/pipermail/hostap/2006-July/013673.html ). While perhaps being the most cumbersome, a full capture like suggested might be also most instructive. The nas log you showed in <[EMAIL PROTECTED]> sadly isn't very concise. But as it somehow mentiones an EAP-Response with your desired username, it would be good to know if/when/how it sends those out to freeradius, as they seem to get lost. So capturing the traffic between nas and freeradius would be a good idea also. If that doesn't give yourself any clues, I'd suggest providing url's where to download those informations. Please don't try to put some digested information into an line mangling mua or an eventually similar way of making it unnecessary hard to look into it for those trying to help. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Requests prior to #4 are missing becouse i tried to connect multiple times, and i didn't want to paste same thing twice. Then everything got corrupted, becouse i had to paste it by pieces in the gmail and it really got messed up. So here is the example of full (pasted with care :p) radius log: [EMAIL PROTECTED] ~]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/CERTS/newreq.pem" tls: certificate_file = "/etc/raddb/CERTS/newcert.pem" tls: CA_file = "/etc/raddb/CERTS/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded LDAP ldap: server = "localhost" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ldap: basedn = "ou=People,dc=kapion,dc=si" ldap: filt
issue with attribute 97 from rfc3162 in users file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the dictionary.rfc3162 on a fresh compiled freeradius 1.1.3 on CentOS 4.3 x86_64 shows support for attribute 97 - 8< ATTRIBUTE Framed-IPv6-Prefix 97 ipv6prefix - >8 but if I start the server it failes with the following reason: - 8< /usr/local/etc/raddb/users[227]: Parse error (reply) for entry hextest: unknown attribute type 8 Errors reading /usr/local/etc/raddb/users - >8 the entry for hextest in the users file looks like this (ip address replaced) and line #227 is the "Framed-IPv6-Prefix" line: - 8< hextest Auth-Type := Local, User-Password == "secret" Service-Type = Framed-User, NAS-IP-Address = xx.xx.xx.xx, Framed-IPv6-Prefix = 2001:db8::::/64, Tunnel-Client-Endpoint = 2001:db8:::/128, Tunnel-Server-Endpoint = 2001:db8:::1/128 - >8 If I comment out the "Framed-IPv6-Prefix" line the server starts up. Has anybody seen this error before? I don't know why the server thinks this is attribute 8. Have I missed something and the entry for attribute 97 should look different? Any hint would greatly appreciated. best regard, Christian Hahn -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE9C2G6kMW7HW8620RAntmAJ9vRzaBDqNV5FIT/esloKn8Q149BQCgk/42 6xpe7FSxEW6aEggMzmLcRtU= =Zpnx -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ip Pool group assignment
On 8/27/06, Alan DeKok <[EMAIL PROTECTED]> wrote: Read the NAS documentation to see what magic is required to get it to accept the IP address from FreeRADIUS. Alan, excuse me for a question, I have read documentation but i think that it's impossible to do it with chillispot, it's real? There isn't opensource NAS that can do it? Thanks Giusy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and SNMP
Am Dienstag, 29. August 2006 12:35 schrieb Alan DeKok: > Michael Schwartzkopff <[EMAIL PROTECTED]> wrote: > > What should radiusd say, if snmp does work? > > It *should* print out that it's doing SNMP. If it doesn't, it's a > bug. > > Alan DeKok. Hi, I recompiled the latest version (1.1.3) explicitly telling configure --with-snmp and everything seems to be ok. Debug output from radius: main: smux_password = "verysecret" main: snmp_write_access = yes SMUX connect try 1 SMUX open oid: 1.3.6.1.4.1.3317.1.3.1 SMUX open progname: radiusd SMUX open password: verysecret SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1 SMUX register priority: -1 SMUX register operation: 2 SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1 SMUX register priority: -1 SMUX register operation: 2 Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. SMUX read start SMUX read len: 12 SMUX message received type: 67 rest len: 4 SMUX_RRSP SMUX_RRSP value: 0 errstat: 0 --- Walking the entire request list --- and logfile from net-snmp tell something meaningful: [smux_accept] accepted fd 11 from 127.0.0.1:47423 accepted smux peer: oid SNMPv2-SMI::enterprises.3317.1.3.1, descr radiusd Now: snmpwalk (...) mib-2.67 gives good results, but snmpwalk (...) enterprises.3317 gives nothing. Reading the MIBs in mibs/ there are only the descriptions of mib-2.67, nothing about 3317. Is this OK or am I missing something? Michael. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 pgp7E6KciVOC8.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS and Postgres annoyance
Anyway, in some aspect freeradius can improve. I use nas table and it works fine. Obviously, I must reboot my RADIAS servers when I insert a new NAS client and it is a problem. I afirm that 'realm' table is userless. I trid to configure lot of times without success. From: "Gregory J. Marsh" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED],FreeRadius users mailing list To: "'FreeRadius users mailing list'" Subject: RE: FreeRADIUS and Postgres annoyance Date: Tue, 8 Aug 2006 11:24:24 -0400 I have the nas table working. Here's what you might need to know: 1) You don't configure it in radiusd.conf, you configure it in sql.conf -- look at the last few lines of the sample. 2) The documentation is wrong. Look at the sql query and the schema of the table. They don't agree. I wrote my query to match my needs and made the schema match that. 3) You must still have at least one entry in the clients.conf file. I just put in a dummy for the local machine. 4) On boot, FreeRadius starts before PostgreSQL is ready sometimes. So, I put a delay in the FreeRadius start. I'll do something better later. Now if I can get the radius.log written to sql instead of a file, I'll be 100% sql which is what I really need. Greg... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Warren-Meeks Sent: Tuesday, August 08, 2006 9:53 AM To: FreeRadius users mailing list Subject: Re: FreeRADIUS and Postgres annoyance Sorry guys, my fault.. mainly permissions problems on the relevant tables in postgres. Although I haven't got the nas table working yet though, so pointers there will help.. (moral of the story, tcpdump -w out.dmp -A -nvi eth0 -s0 port 5432 plus ethereal is a good thing.) -- joe. Joe Warren-Meeks T: +44 (0) 208 962 0007 Aggregator Ltd.M: +44 (0) 7789 176 078 Unit 62/63 Pall Mall Deposit F: +44 (0) 208 962 0008 124-128 Barlby Road, London W10 6BL PGP:361F 78D0 56F5 8D7F 2639 947D 71E2 8811 F825 64CC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Acepta el reto MSN Premium: Protección para tus hijos en internet. Descárgalo y pruébalo 2 meses gratis. http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_proteccioninfantil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeNAC: OpenSource NAC
FreeNAC provides easy to use VLAN assignment and LAN access control for Cisco Switches and all kind of network devices (Servers, Workstations, Printers, IP-Phones, Webcams...). FreeNAC can be considered as having two phases. Initially, we have taken OpenVMPS (which provides MAC based access control), added a MySQL back end, a GUI, improved access control algorithms, scalability, redundancy, alerting etc. This tool has been published as OpenSource on FreeNAC.net. Next, we are testing 802.1x support by tying in FreeRadius (802.1x provides better security and is not limited to Cisco switches) and moving the Delphi GUI to a web based user interface. The 'plan' is for the project to move forward to eventually become THE OpenSource Enterprise tool for dynamic VLAN assignment and LAN/WLAN authentication. So, we wish to solicite community opinions, expertise, help and feedback. Are you interested in this tool, would you like to use it or even like to contribute to it (documentation, support, development, promotion, architecture, review...)? Please visit us on www.FreeNAC.net! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS multi clients
Title: EAP-TLS multi clients Hi, I do not succeed to authenticate others client in mine system. I have used three scripts to generate certs root, server and client (with xpextension). They exist of the certs for multi clients to use for eap-tls? Somebody it has of the councils on like making? thanks Matteo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and SNMP
Michael Schwartzkopff <[EMAIL PROTECTED]> wrote: > What should radiusd say, if snmp does work? It *should* print out that it's doing SNMP. If it doesn't, it's a bug. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and SNMP
Am Dienstag, 29. August 2006 11:18 schrieb Alan DeKok: > Michael Schwartzkopff <[EMAIL PROTECTED]> wrote: > > Any hints? Should there be packets on the interface at all? What am I > > doing wrong? > > Run the server in debugging mode. It will tell you if it's doing SNMP. > > Alan DeKok. hi, the only reference to SNMP in the debug mode is the following line: Config: including file: /usr/local/etc/raddb/snmp.conf What should radiusd say, if snmp does work? -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 pgprActPL5rMy.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication
> Modify ldap.attrmap so that _your_ attribute is mapped into User-Name, not > the default one. User-Password of course. -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and accounting
"Pshem Kowalczyk" <[EMAIL PROTECTED]> wrote:
> So I've compiled the source and gave it a try, but it behaved exactly
> as the stable version - didn't replace nor removed any attributes. Is
> this supposed to work?
> I tested the pre and post proxy methods:
...
> # Function to handle pre_proxy
> sub pre_proxy {
>
> &radiusd::radlog(1, "entering pre-proxy");
>
> $RAD_REQUEST{'User-Name'} = 'testuser';
You're re-writing the request packet (i.e. the one from the NAS),
not the packet that's about to be sent to the home server.
Try: $RAD_PROXY_REQUEST{'User-Name'} = 'testuser';
> # Function to handle post_proxy
> sub post_proxy {
>
> &radiusd::radlog(1, "entering post-proxy");
> $RAD_REPLY{'Framed-IP-Address'} = '10.10.1.1';
That works. The debug log you posted shows that in the reply.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and SNMP
Michael Schwartzkopff <[EMAIL PROTECTED]> wrote: > Any hints? Should there be packets on the interface at all? What am I doing > wrong? Run the server in debugging mode. It will tell you if it's doing SNMP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and SNMP
Hi,
I have problems starting the SNMP part of FreeRADIUS.
Setup:
FR 1.0.4, SuSE 10.0
radiusd.conf:
snmp = yes
$INCLUDE ${confdir}/snmp.conf
snmp.conf:
smux_password = verysecret
Also my net-snmp is configured according to the docs. When I start both demons
snmpwalk does not give any answer in 1.3.6.1.4.1.3317. When I do a tcpdump on
interface lo (or eth0) port 199 I see no packets beeing exchanged. It seems
that FR does not even try to register the subagent.
Any hints? Should there be packets on the interface at all? What am I doing
wrong?
Thanks for any help.
--
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Bretonischer Ring 7
85630 Grasbrunn
Tel: (+49 89) 456 911 - 0
Fax: (+49 89) 456 911 - 21
mob: (+49 174) 343 28 75
PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42
pgpGoavCoGuH7.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication
Hi, > So my question, and I know that there is a caveat about a cleartext > password being required for LDAP authentication, is: > Can I make a request to freeradius that gets passed to LDAP but only > requires the password to be checked against an attribute of the username, > NOT the real LDAP password. Modify ldap.attrmap so that _your_ attribute is mapped into User-Name, not the default one. Stefan -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
