Re: Accountig-Response
Actually the situation is a little bit more complicated! The route is send as you said in Access-Accept but because there are more than one possible route and congestions are possible, when i recieve account-stop with the cause: route overloaded, i send in Account-Response the second possible route to make things go faster! More than that i need to send other Attributes like Called-Station-Id and more important variable Session-Timeout(not in VSA of course) that must be send from a specific cell in the DB. In the procedure we've decided to implement there are 5 Attributes that might be send in Account-Response in some situations, and the things are that i can't modify the procedure because the rest is ready and this part with Radius is my part! If i wount be able to make freeradius to do this i must write a server myself so that i would be able to configure it on my needs! In O'Reilly manual is said : "Not only do Accounting-Response packets not have to contain any attributes, but in practice it is rare for them to do so. " and "As well, any vendor-specific attributes may be included in Accounting-Response packets " Now is the case as i said the procedure is made for voice calls and the procedure can't be modified! The ONLY solution in my case is this! Thanks! Alan DeKok [EMAIL PROTECTED] wrote: Vasea Marii wrote: I'm sory..i didn' understand the tone of the answerAll of your sentences end with exclamation marks! You seemvery excited! Always! but hopping for best i say that i try to make routing on Radius, i mean that a conversation between NAS and Radius(where the routes are stored in MySQL) and using a VSA i could send to the NAS the needed route ! Uh, no. Routes are assigned in Access-Accept, not inAccounting-Response. Alan DeKok.-- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Static IP Address allocation database - Active Directory?
Has anyone experimented with using Active Directory as a database for Static IP Addressing? I have two Radius groups in AD, Radius and Radius_StaticIP. If you are a member of the radius group, you are given a address by the NAS (I return 255.255.255.254 to the NAS). If you are a member of the Radius_StaticIP group I want to allocate an address out from my end, I am looking at perl at the moment but has anyone tried using a custom attribute in ActiveDirectory or similar to manage the addressing? Each account could have it's address defined in it's AD entry, but can FreeRadius look up these attributes and use them as replies? Has anyone gotten static ips to work from the client end? I'm not sure what I need to return to allow the client in a PPP dial-in session to set their own IP address in TCP/IP properties. Any help appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Static IP Address allocation database - Active Directory?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Has anyone experimented with using Active Directory as a database for Static IP Addressing? Yes, just assign a static ip in the AD dial-in properties for that user and adapt the ldap.attrmap accordingly, this works perfectly. There is no need to make a user member of a 'radius_staticip' Group. J. - -- Jonathan De Graeve IMELDA vzw Informatica Dienst Network System Engineer [EMAIL PROTECTED] +32(0)15/50.52.98 -BEGIN PGP SIGNATURE- Version: 9.5.0 (Build 1202) wsBVAwUBRUG6jdjY2X/BrZGJAQgslggAmOMNyQR2lingFOOZas2+tRm2DM7+LgrG A8PNHcGxeMIWhtksMm++/nWwwZgK0PrBXECeX13fJf+mmgt3U1V1oXsD58HUAFJj VW+PW9O8o8ef5Br+03pzrIV0enZ6N4AmUOz42JudO4qPrUdrE7SyKDkz41vu8gSz dhW7SO9nTR7h9r688XqJnQU+w6ZQi2AUTumQ+9rvNn6UMS7AhzoNm0naH5tTp0Ql LUPEMByf4O6e4Ucuqd1SJk+gyeKD+ZsZ93YzmFP8btevLAnIw3VK2lnT0gwcejlD FIlkGc7Rt+DJ9Dznn3BXk19hZxNqnsPBDs1rZOX8nGdo7uLdjHctSQ== =tLiY -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bug on Accouting-Requests proxying
FreeRADIUS 1.1.3 bug - Accounting requests reemission by FreeRADIUS
In file main\request_list.c, function refresh_request.
In the case of an accounting request (request-proxy-code ==
PW_ACCOUNTING_REQUEST), FreeRADIUS adds to the proxied packet the
attribute Acct-Delay-Time (or updates it, if it was present in
previous emission) with value set to the time difference between current
time and time of initial proxied request.
According to RFC 2866, chapter 4.1 :
The Identifier field MUST be changed whenever the content of the
Attributes field changes, and whenever a valid reply has been received
for a previous request. For retransmissions where the contents are
identical, the Identifier MUST remain unchanged.
Note that if Acct-Delay-Time is included in the attributes of an
Accounting-Request then the Acct-Delay-Time value will be updated when
the packet is retransmitted, changing the content of the Attributes
field and requiring a new Identifier and Request Authenticator.
FreeRADIUS updates the content of the packet when reemitting the
accounting request, but does not change the Identifier. Thus, those
packets sent after the first one are *not* true reemissions.
This is a problem to us. For instance, we have the following setup :
A client (A) sending an accounting request to FreeRADIUS (B), which
retransmits the request to a proxy FreeRADIUS server (C). FreeRADIUS C
is slow to respond, so FreeRADIUS B reemits the request, with different
packet attributes (Acct-Delay-Time added), but keeps the same identifier.
FreeRADIUS C receives the second request, but discards it since it has
the same identifier as the request currently being processed. FreeRADIUS
C then decides to finally respond (to the first request). FreeRADIUS B
receives this response, and verifies if the request (the reemission) and
response match. They do not, thus FreeRADIUS B drops the response and
logs an error.
FreeRADIUS should either :
- NOT add Acct-Delay-Time attribute in accounting reemissions, thus
preserving the content of the attributes in the packet.
- or, add an Acct-Delay-Time, but change the identifier and handle the
proxied packet as a new request.
The second solution seems overly complicated, because FreeRADIUS would
have to handle the second proxied request as a completely new request,
but would also have keep the first one, as the proxy server can respond
to any of the reemissions.
The first solution is very simple to correct: it simply involves
removing the block if (request-proxy-code == PW_ACCOUNTING_REQUEST)
{ in function refresh_request of file main\request_list.c.
I don't know if Acct-Delay-Time attribute is really useful to someone,
I've never seen it used in any implementation of a RADIUS server.
Anyhow, it seems way too much hassle to correctly handle this attribute
in accounting reemissions.
If tehre is any any objection, we will develop a patch to remove
Acct-Delay-Time and provide it soon.
Best regards,
Geoff.
___
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions !
Profitez des connaissances, des opinions et des expériences des internautes sur
Yahoo! Questions/Réponses
http://fr.answers.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
openldap+freeradius+Cisco
Hi,
I'm tryingto authenticate and authorize Cisco routers administrators But not the autorization (privilege level).so not wheni add "aaa authorization exec default group radiusvrf if-authenticated"to the cisco router to be able to manage privileges with radius.
to make it work, i think i need to configure Service-Type and cisco-avpairattributes for each user to get the autorization from the cisco router.
I want to configure this attributs in freeradius, not in openldap.
So, is it possible to add this attributes to a specific user in the raddb/users file after he has been authenticated by ldap ? or i must do it differently ?
in raddb/radiusd.conf:
authorize {
preprocess
files
ldap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
}
I tried with a user and a DEFAULT user:
raddb/users:
Robert Service-Type = NAS-Prompt-User
cisco-avpair = "shell:priv-lvl=1"
DEFAULT Service-Type = NAS-Prompt-User
cisco-avpair = "shell:priv-lvl=1"
but this attributs seem not to be send to the routeur. when ldap is authorize in radiusd.conf, the users file is not check anymore ?
Thanks for your help
Thomas-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR with AD authentication not working
hi, remove the System authentication line from your users file. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ntlm_auth howto
All, I finally got it working, but not yet as i want. The trick that made it work is settings auth-type := MSCHAPv2 for the user(s) and i also started radiusd as root(changed the rights without success to radiusd, but once everything is working i will try to run again with radiusd user) If i connect my user(s)s with [EMAIL PROTECTED] it works, but if i use realm\userame the realm is found but no ntlm is used(and authentication fails). Below you find an extract from the debug where you can see that the correct realm is found. Do i need some options? (btw i need this to work because automatic logon to the wifi from windows xp with windows credentials is in this format) modcall[authorize]: module kmt-eu.kmtg.net returns noop for request 69 rlm_realm: Looking up realm KMT-EU.KMTG.NET for User-Name = KMT-EU.KMTG.NET\sstruyf rlm_realm: Found realm KMT-EU.KMTG.NET rlm_realm: Adding Stripped-User-Name = sstruyf rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = KMT-EU.KMTG.NET rlm_realm: Authentication realm is LOCAL. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551 [EMAIL PROTECTED] wrote on 10/26/2006 05:05:44 PM: [EMAIL PROTECTED] wrote: I am trying to authenticate my wifi users via our AD. I'm finding bits and pieces on the internet to configure things, but no completely usable howto. What's missing from any of the HOWTO's? There's some on the Wiki, and one on my site. Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) You're running the server as non-root, and the programs it executes don't run as root, so they don't have permissions to read that directory. Make the server run as root, or fix the permissions. Alan DeKok. -- http://deployingradius.com- The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: SIGSEGV SEGV_MAPERR
[Apologies, I may have sent this before from the wrong mail-box] Hello I am running the Blastwave packaging of Freeradius 1.0.1 on Solaris 8, sparc. This interfaces with MySQL version 4.0.18-log, built from source. The RADIUS server inexplicably terminates with no core dump or logged messages The tail of a truss log shows bash-2.05# grep SEGV_MAPERR truss.log | wc -l 1766 bash-2.05# tail -20 truss.log 10471/6:978.8120Incurred fault #6, FLTBOUNDS %pc = 0xFED714F4 10471/6: siginfo: SIGSEGV SEGV_MAPERR addr=0x0003 10471/6:978.8121Received signal #11, SIGSEGV [caught] 10471/6: siginfo: SIGSEGV SEGV_MAPERR addr=0x0003 10471/6:978.8123sigprocmask(SIG_SETMASK, 0xFF17CFB8, 0x) = 0 10471/6:978.8124sigprocmask(SIG_SETMASK, 0xFF188CE0, 0x) = 0 10471/6:978.8125setcontext(0xFE702CD0) 10471/6:978.8127Incurred fault #6, FLTBOUNDS %pc = 0xFED714F4 10471/6: siginfo: SIGSEGV SEGV_MAPERR addr=0x0003 10471/6:978.8128Received signal #11, SIGSEGV [caught] 10471/6: siginfo: SIGSEGV SEGV_MAPERR addr=0x0003 10471/6:978.8130sigprocmask(SIG_SETMASK, 0xFF17CFB8, 0x) = 0 10471/6:978.8131sigprocmask(SIG_SETMASK, 0xFF188CE0, 0x) = 0 10471/6:978.8132setcontext(0xFE702CD0) 10471/6:978.8134Incurred fault #6, FLTBOUNDS %pc = 0xFED714F4 10471/6: siginfo: SIGSEGV SEGV_MAPERR addr=0x0003 10471/6:978.8135Received signal #11, SIGSEGV [caught] 10471/6: siginfo: SIGSEGV SEGV_MAPERR addr=0x0003 10471/6:978.8137sigprocmask(SIG_SETMASK, 0xFF17CFB8, 0x) = 0 10471/1:978.8140_exit(1) It got into a SEGV_MAPERR 1766 times while I had it under truss... This error is superficially similar to the one reported by Terry J Fike Jr in July 2004, but here the server exits voluntarily. Has this problem been encountered before? What further investigation should I do? Thank you, Barry Barry A Byrne Network Applications and Public Services Cable Wireless - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ntlm_auth howto
[EMAIL PROTECTED] wrote:
All,
I finally got it working, but not yet as i want.
The trick that made it work is settings auth-type := MSCHAPv2 for the
You should not do that, and should not *have* to do that.
Most likely you have not put the mschap module in the authorize section,
*or* you have put another module higher up that it setting the auth-type
first e.g. LDAP.
You should have:
authorize {
preprocess
mschap
# other modules, maybe files?
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
}
user(s) and i also started radiusd as root(changed the rights without
success to radiusd, but once everything is working i will try to run
again with radiusd user)
That's probably permissions on the winbind socket - see
[EMAIL PROTECTED] var]$ ls -ld /var/cache/samba/winbindd_privileged/
drwxr-x--- 2 root root 4096 Jul 24 21:36
/var/cache/samba/winbindd_privileged/
...radius will need to be able to get into that directory and access the
unix socket inside.
Many distributions have the unix group squid setup to be able to read
it for the purposes of Squid+ntlm. If so, just add the radiusd user to
the squid group. Or, create an ntlmauth group and set permissions
appropriately.
If you are on an SELinux distribution, watch for that.
If i connect my user(s)s with [EMAIL PROTECTED] it works,
but if i use realm\userame the realm is found but no ntlm is used(and
authentication fails).
Below you find an extract from the debug where you can see that the
An extract is no use. Please show the full debug output for a failing
session.
HOWEVER, first you may want to check your mschap module definition:
modules {
mschap {
ntlm_auth = /usr/bin/ntlm_auth \
--request-nt-key \
--username=%{mschap:User-Name:-None} \
--domain=%{mschap:NT-Domain:-None} \
--challenge=%{mschap:Challenge:-00} \
--nt-response=%{mschap:NT-Response:-00}
...all on one line of course. Note the use of the mschap:User-Name and
mschap:NT-Domain values.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius not stable on my server
Hello all, I am using FreeRadius to authenticate my PPPoE clients. This is the version I am using: [EMAIL PROTECTED] radius]# radiusd -v radiusd: FreeRADIUS Version 1.1.0, for host , built on Feb 20 2006 at 08:14:50 Copyright (C) 2000-2003 The FreeRADIUS server project. My system uses the /etc/passwd and /etc/shadow to look for a login and them let that client connect to the PPPoE concentrator. I have 4 PPPoE concetrators and I am having a problem: sometimes my freeradius get a little crazy and close some connections and other times it just says that the client is still connected and block the client to use (becouse of max login set to 1) like in this two situatios: === NO LOGIN RECORD === Fri Oct 27 08:45:37 2006 : Auth: Login OK: [pauloperez] (from client ns3 port 2846 cli 00:4F:62:02:96:00) Fri Oct 27 08:47:09 2006 : Error: rlm_radutmp: Logout for NAS ns3 port 2827, but no Login record Fri Oct 27 08:47:23 2006 : Auth: Login OK: [maquiagro] (from client ns3 port 2847 cli 00:4F:62:09:E8:BB) Fri Oct 27 08:52:13 2006 : Auth: Login OK: [joilce] (from client ema port 14413 cli 00:4F:62:04:D9:5D) Fri Oct 27 08:52:15 2006 : Error: rlm_radutmp: Logout for NAS ns3 port 2698, but no Login record Fri Oct 27 08:52:29 2006 : Auth: Login OK: [paulogava] (from client ns3 port 2860 cli 00:4F:62:09:E7:8F) === MAX LOGIN=== Fri Oct 27 08:09:00 2006 : Auth: Multiple logins (max 1) : [carine] (from client ns3 port 2769 cli 00:06:F4:0A:D6:76) Fri Oct 27 08:09:06 2006 : Auth: rlm_unix: [carine]: invalid password Fri Oct 27 08:09:06 2006 : Auth: Login incorrect: [carine/] (from client ns3 port 2770 cli 00:06:F4:0A:D6:76) Fri Oct 27 08:09:19 2006 : Auth: rlm_unix: [carine]: invalid password What can I do to make my radius system more stable? Migrate it to a MySQL solution? I have about 200 login records in most usage time and a average of 80 all day. Att, Nataniel Klug .'. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ntlm_auth howto
Here's the full log: Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.104.254.73:1645, id=67, length=259 User-Name = KMT-EU.KMTG.NET\\sstruyf Framed-MTU = 1400 Called-Station-Id = 0016.469b.7cd0 Calling-Station-Id = 0011.851a.cc37 Service-Type = Login-User Message-Authenticator = 0xfeb711c4400f8f34b9fef7c2be7f77bc EAP-Message = 0x020900691900170301005e5971fff2b46b2f81e88ed248772a59c1860abf0ebe40379c9e20c0ac6edd9cb19abe8ebfe82595c54bc12a979c51182f9b58d130708870f1b6bb17c1cd8249a64ddae5750e9411d4e337bd0876f393e83f2015b4c783ee35db02041bad3 NAS-Port-Type = Wireless-802.11 NAS-Port = 2936 State = 0x5d8298849858ea61aec0380c81af200d NAS-IP-Address = 10.104.254.73 NAS-Identifier = WAP07KE Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module preprocess returns ok for request 7 modcall[authorize]: module mschap returns noop for request 7 rlm_realm: No '@' in User-Name = KMT-EU.KMTG.NET\sstruyf, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module kmt-eu.kmtg.net returns noop for request 7 rlm_realm: Looking up realm KMT-EU.KMTG.NET for User-Name = KMT-EU.KMTG.NET\sstruyf rlm_realm: Found realm KMT-EU.KMTG.NET rlm_realm: Adding Stripped-User-Name = sstruyf rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = KMT-EU.KMTG.NET rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module ntdomain returns noop for request 7 rlm_eap: EAP packet type response id 9 length 105 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 7 users: Matched sstruyf at 98 modcall[authorize]: module files returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020900521a0209004d3160a685c531c746f19621bbdd8d3f13681af36673f68f9f26b4cc76bf8cd9f440dc36396981ad345004b4d542d45552e4b4d54472e4e45545c73737472757966 PEAP: Setting User-Name to KMT-EU.KMTG.NET\sstruyf PEAP: Adding old state with 46 61 PEAP: Sending tunneled request EAP-Message = 0x020900521a0209004d3160a685c531c746f19621bbdd8d3f13681af36673f68f9f26b4cc76bf8cd9f440dc36396981ad345004b4d542d45552e4b4d54472e4e45545c73737472757966 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = KMT-EU.KMTG.NET\\sstruyf State = 0x4661e4398678b434bf08ae113a631207 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module preprocess returns ok for request 7 modcall[authorize]: module mschap returns noop for request 7 rlm_realm: No '@' in User-Name = KMT-EU.KMTG.NET\sstruyf, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module kmt-eu.kmtg.net returns noop for request 7 rlm_realm: Looking up realm KMT-EU.KMTG.NET for User-Name = KMT-EU.KMTG.NET\sstruyf rlm_realm: Found realm KMT-EU.KMTG.NET rlm_realm: Adding Stripped-User-Name = sstruyf rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = KMT-EU.KMTG.NET rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module ntdomain returns noop for request 7 rlm_eap: EAP packet type response id 9 length 82 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 7 users: Matched sstruyf at 98 modcall[authorize]: module files returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: Told to do MS-CHAPv2 for KMT-EU.KMTG.NET\sstruyf with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name'
Open access
Hi, I want to grant access to any user or password on my backup server. I found DEFAULT Auth-Type := Accept in the FAQ, however it gives no hint as to where to put the code. I've been trying various parts of raddb.conf with no success. Any help appreciated as usual. Sean Bracken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Open access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 -Oorspronkelijk bericht- Van: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] Namens Sean Verzonden: vrijdag 27 oktober 2006 14:20 Aan: freeradius-users@lists.freeradius.org Onderwerp: Open access Hi, I want to grant access to any user or password on my backup server. I found DEFAULT Auth-Type := Accept in the FAQ, however it gives no hint as to where to put the code. I've been trying various parts of raddb.conf with no success. Place it in users - -- Jonathan De Graeve IMELDA vzw Informatica Dienst Network System Engineer [EMAIL PROTECTED] +32(0)15/50.52.98 -BEGIN PGP SIGNATURE- Version: 9.5.0 (Build 1202) wsBVAwUBRUIAydjY2X/BrZGJAQixcgf/Vs9sAwHNdeWNqZBlogAZCw2qXBDDg5s6 gcI8WqcqeALhdESu3oSr3AePbmrcDjZjTIqgGlNFY+Ps44xr15aRLk/kY4lPdI9N cN/Ljw1LxqrmvyI2AVHr+ELrakTWj9BYnhaRr4a/brJWgLKapz+7H7lRjPrhoimh eGgH2JgC7x4lkyWB28O/19qUR9qi/M43uSd07YxwegC8VYdtz47x5aA+uQtRt4wS lf3ZV0QHW3THMzhR1YifmDUDSWJW12fMh2D2m14mjI3+dpF005F5lzi9mpLRZ4fx Nse6gFOoEO3S6tWtn8awb0vaQMT9B5qTZl6G0v0ovymBTJP8llbtrA== =vRRD -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius + mysql problem
Sri, ¿it never works ? ¿how did you build your radius ? ¿what's your platform and mysql version ? ¿sis you remember to have mysql-devel (mysql headers) available when you build freeradius ?, it seems to me that the driver is not working. In the message below driver rlm_sql_mysq is a typo (should be mysql) ¿did you make the right configs in your sql.conf ? hope it helps regards Hernan Antolini [EMAIL PROTECTED] wrote on 10/26/2006 10:10:30 PM: Hello all, I am trying to configure freeradius with mysql. I did the relevent changes in radiusd.conf and when i start the server in debug mode, it is giving an error: rlm_sql (sql): Could not link driver rlm_sql_mysq: file not found rlm_sql (sql): Make sure it (all its dependent libraries) are in the search path of your system's ld. radiusd.conf[14]: sql: Module instantiation failed. Here are the changes i made in radiusd.conf file: sqltrace=yes uncommented the line sql in Authorize section. commented the line sql in preacct section. uncommented the line sql in accounting section. Created the radius database using the schema in the file db_mysql.sql. Wht can be problem with configuration.Pls clarify any other config changes required. Thanks in advance. Regards, Sri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and ntlm_auth howto
Did you notice the response from ntlm_auth: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=decc4450c3b83d2c --nt-response=1af36673f68f926b4cc76bf8cd9f440d0c36396981ad345 Exec-Program output: Logon failure (0xc06d) This indicates an invalid username or password. Try running /usr/bin/ntlm_auth --username=sstruyf and entering the same password you used in your previous test when prompted. Is the username correct? Is samba going to the correct domain by default? Did you enter the correct password? If you cant authenticate from the command line, you wont be able to do so from freeradius either. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openldap+freeradius+Cisco
OK it works fine now with this in the users file:
Robert Auth-Type = LDAP
service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=1"
but it is said in radius.conf not to use Auth-Type = LDAP.
so is there an other solution to add this attributes in reply.
Thomas
Message du 27/10/06 à 10h27 De : "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> A : freeradius-users@lists.freeradius.org Copie à : Objet : openldap+freeradius+Cisco
Hi,
I'm tryingto authenticate and authorize Cisco routers administrators But not the autorization (privilege level).so not wheni add "aaa authorization exec default group radiusvrf if-authenticated"to the cisco router to be able to manage privileges with radius.
to make it work, i think i need to configure Service-Type and cisco-avpairattributes for each user to get the autorization from the cisco router.
I want to configure this attributs in freeradius, not in openldap.
So, is it possible to add this attributes to a specific user in the raddb/users file after he has been authenticated by ldap ? or i must do it differently ?
in raddb/radiusd.conf:
authorize {
preprocess
files
ldap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
}
I tried with a user and a DEFAULT user:
raddb/users:
Robert Service-Type = NAS-Prompt-User
cisco-avpair = "shell:priv-lvl=1"
DEFAULT Service-Type = NAS-Prompt-User
cisco-avpair = "shell:priv-lvl=1"
but this attributs seem not to be send to the routeur. when ldap is authorize in radiusd.conf, the users file is not check anymore ?
Thanks for your help
Thomas [ (pas de nom de fichier) (0.1 Ko) ]-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and ntlm_auth howto
[EMAIL PROTECTED] wrote on 10/27/2006 02:54:52 PM: Did you notice the response from ntlm_auth: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=decc4450c3b83d2c --nt- response=1af36673f68f926b4cc76bf8cd9f440d0c36396981ad345 Exec-Program output: Logon failure (0xc06d) This indicates an invalid username or password. Try running “/usr/bin/ntlm_auth --username=sstruyf” and entering the same password you used in your previous test when prompted. Is the username correct? Is samba going to the correct domain by default? Did you enter the correct password? If you can’t authenticate from the command line, you won’t be able to do so from freeradius either.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html from the commandline everything is working, and the same username/realm works if i enter pass it as [EMAIL PROTECTED] instead of realm\username. So i am absolutely sure the user is ok. I will check with our AD admin if he sees something in his logs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius is mad ! Or me...
Hi, I have a Freeradius on a fedora core 5 with a backend mysql. It's work fine 20 days. But i have stopped it (/etc/init.d.radiusd stop) and use radiusd -A commande for testing another login for mysql. An since this change the serveur radius can connect to serveur mysql on debug mode (rdiusd -X), if i use the command /etc/init.d/radiusd start the clients can't connect et in the log (see bottom) say it can't connect to mysql sevrer. Why the command radiusd -A work fine and not /etc/init.d/raduisd start ??? I really don't understand why ! I will be mad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to configure/store NAS clients in LDAP instead of clients.conf
Hi guys,I've been looking for the past two days all over the web regarding this subject. Sorry if this question has been posted before. With rlm_sql im able to store NAS clients on a SQL table. I want to do the same but with ldap. is there a way that rlm_ldap can lookup NAS clients from my ldap server?Thanks in advance.Lenir- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HP-UX and AIX pam_radius problem
hi everybody, i have a problem with radius module for PAM. When i compile the source of pam_radius-1.3.16.tar, i got a lot of erros. I applied patch's available in the list, but the problems persists.In the HP-UX enviroments the messages are:
begin [root] patch_pam_radius make gcc -z -fPIC -c pam_radius_auth.c -o pam_radius_auth.opam_radius_auth.c: In function 'talk_radius':pam_radius_auth.c:885: warning: passing argument 6 of 'recvfrom' from incompatible pointer type
pam_radius_auth.c: In function 'rad_converse':pam_radius_auth.c:1021: warning: passing argument 3 of 'pam_get_item' from incompatible pointer typepam_radius_auth.c:1024: warning: passing argument 2 of 'conv-conv' from incompatible pointer type
pam_radius_auth.c: In function 'pam_sm_authenticate':pam_radius_auth.c:1076: warning: passing argument 2 of 'pam_get_user' from incompatible pointer typepam_radius_auth.c:1104: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type
pam_radius_auth.c:1118: warning: passing argument 3 of 'pam_get_item' from incompatible pointer typepam_radius_auth.c:1151: warning: passing argument 3 of 'pam_get_item' from incompatible pointer typepam_radius_auth.c: In function 'pam_sm_setcred':
pam_radius_auth.c:1247: warning: passing argument 3 of 'pam_get_data' from incompatible pointer typepam_radius_auth.c: In function 'pam_private_session':pam_radius_auth.c:1272: warning: passing argument 2 of 'pam_get_user' from incompatible pointer type
pam_radius_auth.c:1293: warning: passing argument 3 of 'pam_get_item' from incompatible pointer typepam_radius_auth.c: In function 'pam_sm_chauthtok':pam_radius_auth.c:1379: warning: passing argument 2 of 'pam_get_user' from incompatible pointer type
pam_radius_auth.c:1400: warning: passing argument 3 of 'pam_get_item' from incompatible pointer typepam_radius_auth.c:1409: warning: passing argument 3 of 'pam_get_item' from incompatible pointer typepam_radius_auth.c:1414: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type
gcc -z -fPIC -c md5.c ld -b pam_radius_auth.o md5.o -lpam -o pam_radius_auth.sopatch_pam_radiusend Apparently it compels but the pam_radius_auth.so not work, it causes a problem in sshd, follow the error:
sshd[20783]: reverse mapping checking getaddrinfo for x.x.xxx - POSSIBLE BREAKIN ATTEMPT!I Apply this patch for HP-UX:===
Begin output listing from diff -u===diff -u clean/pam_radius-1.3.16/Makefile pam_radius-1.3.16/Makefile--- clean/pam_radius-1.3.16
/Makefile2003-09-19 10:41:45.0 -0400+++ pam_radius-1.3.16/Makefile 2003-12-23 11:21:26.0 -0500@@ -15,7 +15,10 @@ # # If you're not using GCC, then you'll have to change the CFLAGS.
#-CFLAGS = -Wall -fPIC
+#CFLAGS = -Wall -fPIC+# Added by jl 12/09/2003 for HP-UX+CFLAGS = +DAportable +DSPA7100 +z+# End Add jl # # On Irix, use this with MIPSPRo C Compiler, and don't forget to exportCC=cc # gcc on Irix does not work yet for pam_radius
@@ -55,7 +58,10 @@ # gcc -shared pam_radius_auth.o md5.o -lpam -lc -o pam_radius_auth.so # pam_radius_auth.so: pam_radius_auth.o md5.o- ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so
+# ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so+# Added by jl 12/09/2003 for HP-UX+ ld -b pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so+# End add jl ##
#diff -u clean/pam_radius-1.3.16/md5.c pam_radius-1.3.16/md5.c--- clean/pam_radius-1.3.16/md5.c 2002-06-28 02:29:21.0 -0400+++ pam_radius-1.3.16/md5.c 2004-01-12 11:58:22.0 -0500
@@ -43,6 +43,12 @@ #define HIGHFIRST #endif+/* 01/12/2004 jl - Added for HPUX compiles */+#ifdef _INCLUDE_HPUX_SOURCE+#define HIGHFIRST+#endif+/* END jl */+ #ifndef HIGHFIRST
#define byteReverse(buf, len) /* Nothing */ #elsediff -u clean/pam_radius-1.3.16/md5.h pam_radius-1.3.16/md5.h--- clean/pam_radius-1.3.16/md5.h 2003-04-29 16:19:16.0 -0400+++ pam_radius-1.3.16
/md5.h 2003-12-16 11:33:55.0 -0500@@ -15,7 +15,10 @@ #define MD5Transform pra_MD5Transform #include sys/types.h-#define uint32 u_int32_t+/* Added by jl */+/* #define u_int32_t unsigned int */
+/* #define uint32 u_int32_t */+#define uint32 uint32_t struct MD5Context { uint32 buf[4];Only in pam_radius-1.3.16: md5.odiff -u clean/pam_radius-1.3.16/pam_radius_auth.cpam_radius-
1.3.16/pam_radius_auth.c--- clean/pam_radius-1.3.16/pam_radius_auth.c 2003-02-2713:01:07.0 -0500+++ pam_radius-1.3.16/pam_radius_auth.c 2004-01-12 12:00:52.0 -0500@@ -58,6 +58,11 @@
#ifdef sun #include security/pam_appl.h #endif+/* Added by jl 12/09/2003 */+#ifdef _INCLUDE_HPUX_SOURCE+#include security/pam_appl.h+#endif+/* End add jl */ #include security/pam_modules.h
#include
RE: freeradius and ntlm_auth howto
Let's see if we can get this solved...
-Original Message-
Here's the full log:
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.104.254.73:1645,
This is NOT the full log. The full log would have started with the line
/path/to/radiusd -X
Some important stuff is printed out there, it helps us help you.
rlm_mschap: NT Domain delimeter found, should we have
enabled with_ntdomain_hack?
rlm_mschap: NT Domain delimeter found, should we have
enabled with_ntdomain_hack?
Did you enable Ntdomain Hack in the MSCHAP module? (See below)
Including your radius.conf file would help.
HOWEVER, first you may want to check your mschap module definition:
modules {
mschap {
ntlm_auth = /usr/bin/ntlm_auth \
--request-nt-key \
--username=%{mschap:User-Name:-None} \
--domain=%{mschap:NT-Domain:-None} \
--challenge=%{mschap:Challenge:-00} \
--nt-response=%{mschap:NT-Response:-00}
...all on one line of course. Note the use of the
mschap:User-Name
and mschap:NT-Domain values.
Mine radiusd.conf file's mschap section looks like this:
NOTE that I do NOT have the :-00 and the :-None statements, and I DO
have with_ntdomain_hack=yes
# Microsoft CHAP authentication
#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
with_ntdomain_hack = yes
ntlm_auth = /usr/bin/ntlm_auth \
--request-nt-key \
--username=%{mschap:User-Name} \
--challenge=%{mschap:Challenge} \
--nt-response=%{mschap:NT-Response}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Open access (Jonathan De Graeve)
Hi Jonatahan, Thanks for the quick response. It worked first time. Regards, Sean http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Freeradius is mad ! Or me...
Why the command radiusd -A work fine and not /etc/init.d/raduisd start ??? When you run 'radiusd -A' (I suppose you're root), you are running the radius Server as Root. When you run /etc/init.d/radiusd start, it switches to the 'radiusd' user identity (in FC5). So it is possible that you have a permission issue on some config file. Try to run: # su - radiusd --shell /bin/bash $ radiusd -X You'll see if there is a permision issue. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure/store NAS clients in LDAP instead of clients.conf
Lenir Santiago [EMAIL PROTECTED] wrote: I've been looking for the past two days all over the web regarding this subject. Sorry if this question has been posted before. With rlm_sql im able to store NAS clients on a SQL table. I want to do the same but with ldap. It's not possible. If it was possible, it would have been documented. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accountig-Response
Vasea Marii [EMAIL PROTECTED] wrote: Actually the situation is a little bit more complicated! The route is send as you said in Access-Accept but because there are more than one possible route and congestions are possible, when i recieve account-stop with the cause: route overloaded, i send in Account-Response the second possible route to make things go faster! You cannot do that. Stop trying to send attributes in Accounting-Response, RADIUS simply does not work that way. Send the correct information in Access-Accept. Now is the case as i said the procedure is made for voice calls and the procedure can't be modified! The ONLY solution in my case is this! No. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius not stable on my server
Nataniel Klug [EMAIL PROTECTED] wrote: I am having a problem: sometimes my freeradius get a little crazy and close some connections and other times it just says that the client is still connected and block the client to use (becouse of max login set to 1) like in this two situatios: FreeRADIUS doesn't close connections. If it blocks users, it's because it thinks the user is still logged in. What can I do to make my radius system more stable? Migrate it to a MySQL solution? I have about 200 login records in most usage time and a average of 80 all day. It's stable. Migrating to MySQL won't help. A load of 80 logins per day is tiny, and isn't a problem. I think the problem is that you're not clear why the server is behaving the way it is. Please explain *why* you think it's unstable when someone tries to log in twice, and it rejects the second attempt. Why do you think the server closes connections? And the no login record issue is the fault of the NAS. FreeRADIUS is just logging what the NAS sends it. See the FAQ. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR with AD authentication not working
Message: 2Date: Fri, 27 Oct 2006 09:22:39 +0100From: [EMAIL PROTECTED]Subject: Re: FR with AD authentication not working To: FreeRadius users mailing list freeradius-users@lists.freeradius.orgMessage-ID: [EMAIL PROTECTED]Content-Type: text/plain; charset=us-asciihi,remove the System authentication line from your users file. alan Alan, I tried commenting that line, but no luck, Kartthik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
exec external script on successful proxy authentication
Dear list, Is there a way to execute a script with the original request attributes at the time of successul receipt of authentication reply from a home server when FreeRADIUS is used as a proxy? We require to execute an auxilary action on successful authentication, but currently have only found ways to do this at the time of request. Also, is it possible to add arbitrary attributes to the proxied response? Something just like preproxy_users, but rather post_proxyusers? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accountig-Response
Thanks for your time Alan, i'll look again upon all this stuff!Alan DeKok [EMAIL PROTECTED] wrote: Vasea Marii <[EMAIL PROTECTED]>wrote: Actually the situation is a little bit more complicated! The route is send as you said in Access-Accept but because there are more than one possible route and congestions are possible, when i recieve account-stop with the cause: route overloaded, i send in Account-Response the second possible route to make things go faster!You cannot do that. Stop trying to send attributes inAccounting-Response, RADIUS simply does not work that way.Send the correct information in Access-Accept. Now is the case as i said the procedure is made for voice calls and the procedure can't be modified! The ONLY solution in my case is this!No.Alan DeKok.--http://deployingradius.com - The web site of the bookhttp://deployingradius.com/blog/ - The blog- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html How low will we go? Check out Yahoo! Messengers low PC-to-Phone call rates.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR with AD authentication not working
-Original Message- But while using radtest tool with the same logon credentials as above it rejects the user and here is the log message.Please paste the entire debug log. It looks like you missed a few bits
in the cut and paste.
Mike,
Here is the entire debug log. In the users file, auth-type =system has been commented out.
Starting - reading configuration files ...reread_config: reading radiusd.confConfig: including file: /usr/local/etc/raddb/proxy.confConfig: including file: /usr/local/etc/raddb/clients.confConfig: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.confConfig: including file: /usr/local/etc/raddb/sql.confmain: prefix = /usr/localmain: localstatedir = /usr/local/varmain: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/libmain: radacctdir = /usr/local/var/log/radius/radacctmain: hostname_lookups = nomain: max_request_time = 30main: cleanup_delay = 5main: max_requests = 1024
main: delete_blocked_requests = 0main: port = 0main: allow_core_dumps = nomain: log_stripped_names = nomain: log_file = /usr/local/var/log/radius/radius.logmain: log_auth = no
main: log_auth_badpass = nomain: log_auth_goodpass = nomain: pidfile = /usr/local/var/run/radiusd/radiusd.pidmain: user = (null)main: group = (null)main: usercollide = no
main: lower_user = nomain: lower_pass = nomain: nospace_user = nomain: nospace_pass = nomain: checkrad = /usr/local/sbin/checkradmain: proxy_requests = yes
proxy: retry_delay = 5proxy: retry_count = 3proxy: synchronous = noproxy: default_fallback = yesproxy: dead_time = 120proxy: post_proxy_authorize = noproxy: wake_all_if_all_dead = nosecurity: max_attributes = 200
security: reject_delay = 1security: status_server = nomain: debug_level = 0read_config_files: reading dictionaryread_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.
read_config_files: reading clientsread_config_files: reading realmsradiusd: entering modules setupModule: Library search path is /usr/local/libModule: Loaded execexec: wait = yesexec: program = (null)
exec: input_pairs = requestexec: output_pairs = (null)exec: packet_type = (null)rlm_exec: Wait=yes but no output defined. Did you mean output=none?Module: Instantiated exec (exec)
Module: Loaded exprModule: Instantiated expr (expr)Module: Loaded MS-CHAPmschap: use_mppe = yesmschap: require_encryption = yesmschap: require_strong = nomschap: with_ntdomain_hack = yes
mschap: passwd = (null)mschap: authtype = MS-CHAPmschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Respo
nse:-00}Module: Instantiated mschap (mschap)Module: Loaded PAPpap: encryption_scheme = cryptModule: Instantiated pap (pap)Module: Loaded CHAPModule: Instantiated chap (chap)
Module: Loaded Systemunix: cache = nounix: passwd = (null)unix: shadow = (null)unix: group = (null)unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = nounix: cache_reload = 600Module: Instantiated unix (unix)Module: Loaded eapeap: default_eap_type = peapeap: timer_expire = 60eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = norlm_eap: Loaded and initialized type md5rlm_eap: Loaded and initialized type leapgtc: challenge = Password: gtc: auth_type = PAPrlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = notls: dh_key_exchange = yestls: rsa_key_length = 512tls: dh_key_length = 512tls: verify_depth = 0tls: CA_path = (null)tls: pem_file_type = yestls: private_key_file = /usr/local/etc/raddb/certs/cert-
srv.pemtls: certificate_file = /usr/local/etc/raddb/certs/cert-srv.pemtls: CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pemtls: private_key_password = whatever
tls: dh_file = /usr/local/etc/raddb/certs/dhtls: random_file = /usr/local/etc/raddb/certs/randomtls: fragment_size = 1024tls: include_length = yestls: check_crl = notls: check_cert_cn = (null)
rlm_eap_tls: Loading the certificate file as a chainrlm_eap: Loaded and initialized type tlspeap: default_eap_type = mschapv2peap: copy_request_to_tunnel = nopeap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yesrlm_eap: Loaded and initialized type peapmschapv2: with_ntdomain_hack = norlm_eap: Loaded and initialized type mschapv2Module: Instantiated eap (eap)Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroupspreprocess: hints = /usr/local/etc/raddb/hintspreprocess: with_ascend_hack = nopreprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = nopreprocess: with_specialix_jetstream_hack = nopreprocess: with_cisco_vsa_hack = noModule: Instantiated preprocess (preprocess)Module: Loaded realmrealm: format = suffix
realm: delimiter = @realm: ignore_default = norealm: ignore_null = noModule: Instantiated realm (suffix)Module: Loaded filesfiles: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_usersfiles:
RE: exec external script on successful proxy authentication
Is there a way to execute a script with the original request attributes at the time of successul receipt of authentication reply from a home server when FreeRADIUS is used as a proxy? We require to execute an auxilary action on successful authentication, but currently have only found ways to do this at the time of request. Have you looked at the post-proxy and/or post-auth stages in radiusd.conf? You could call a perl script during those stages. The request and reply attributes are available in hashes within the perl script. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: exec external script on successful proxy authentication
On 10/27/06, Garber, Neal [EMAIL PROTECTED] wrote:
Is there a way to execute a script with the original request
attributes at the time of successul receipt of authentication reply
from a home server when FreeRADIUS is used as a proxy? We require to
execute an auxilary action on successful authentication, but currently
have only found ways to do this at the time of request.
Have you looked at the post-proxy and/or post-auth stages in
radiusd.conf?
You could call a perl script during those stages. The request and
reply attributes are available in hashes within the perl script.
Yes, I have looked at these, but I did not see files module having
ability to be put into these stages. If I undestand correctly, you
are saying that it is possible to put the exec module into this
stage? If this is so, what is the syntax? In the other places exec
module was used from the users file with something like
Attribute-Name += `{exec:my_command.tcl}`
But I do not know how to do this with post-proxy and post-auth stages.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: exec external script on successful proxy authentication
you are saying that it is possible to put the exec module into this
stage?
Well, under the heading I'd rather teach you to fish than give you
a fish, you can determine this by looking at the source. If you
look at the bottom of src/modules/rlm_exec.c, you'll find:
module_t rlm_exec = {
exec, /* Name */
RLM_TYPE_THREAD_SAFE, /* type */
NULL, /* initialization */
exec_instantiate, /* instantiation */
{
exec_dispatch,/* authentication */
exec_dispatch, /* authorization */
exec_dispatch,/* pre-accounting */
exec_dispatch,/* accounting */
NULL, /* check simul */
exec_dispatch,/* pre-proxy */
exec_dispatch,/* post-proxy */
exec_dispatch /* post-auth */
},
exec_detach, /* detach */
NULL, /* destroy */
};
This indicates that post-proxy and post-auth are valid for rlm_exec.
If you do the same for rlm_files.c, you'll see NULL for post-proxy
and post-auth. So, files does nothing in these stages.
If this is so, what is the syntax? In the other places exec
module was used from the users file with something like
Read radiusd.conf. You would define the module and then use it
in the post-proxy or post-auth section of that file.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
experienced FreeRadius users in Switzerland?
Hi, I was wondering if there any Swiss based sysadmins or developers listening; I be interested in a physical meeting (BE,ZH,LS or GE) to exchange 802.1x experience and ideas. [I speak DE/FR too if that helps] Thanks in advance, Sean Boran [s e a n AT b o r a n. c o m] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How does freeradius calculate the number of required threads?
Hi group,
I'm trying to figure out optimal configuration for our radius-proxy
farm. atm the farm is handling about 10-15 req/sec per device with the
following config (two servers, load-balanced using an slb)
thread pool {
start_servers = 20
max_servers = 120
min_spare_servers = 20
max_spare_servers = 70
max_requests_per_server = 300
}
perl {
{...}
max_clones = 100
start_clones = 20
min_spare_clones = 20
max_spare_clones = 50
cleanup_delay = 5
max_request_per_clone = 100
}
With this configuration both servers run between 25 and 35 threads.
Everything is fine (except for huge memory consumption), but when i
try to point another device to the load balanced ip (device creates
about 15-20req/sec (auth+acct)) freeradius starts spawning threads
untill it hits the limit (both freeradius and rlm_perl) and then it
locks. I suppose the problems are caused by the fact that the number
of requests increases so suddenly, but I have no other way of
switching the device over. Is there any way I can influence that
behaviour? I suspect that about 50-60 threads would do the job, but if
i drop the limit to 60 it just locks quicker.
Any ideas how to fix that?
regards
pshemko
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
