FreeRADIUS for Mac OS X
HiI'm looking for information for compiling / downloading FreeRADIUS for Mac OS X. I searched the list, and all the information seem outdated or inconclusive.Best regards,Paul- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to send tome clients to the same detail file
Hello,
I have a running server with this configuration:
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
detailperm = 0600
}
I have activated the detail file in the accounting section and the
auth_log in the authorize and are working fine.
But now I want to send all the logs for requests from a group of
clients (defined as a huntgroup) to the same files, and the request for
all other clients as now (classified with the IP address of the client).
Is there any way to redefine this files for a set of clients?
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica_(___V
Tfo: 968367590
Fax: 968398337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit access to internet by mac using freeradius
That would solve the problem of clients aqcuiring the IPs automatically but what about users who would enter the IPs statically.On 11/2/06, Zoltan Ori [EMAIL PROTECTED] wrote:On Thursday 02 November 2006 05:43, Ali Jawad wrote: I need something like the mac address filtering used in squid ...where only registered mac address are allowed through the proxy..any hints suggestions and/or tutorials are welcome. Use your DHCP server for that.Zoltan Ori-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP on freeradius mysql
Title: CHAP on freeradius mysql Hi all My freeradius server has been running for some time now and due to the users file getting a bit long, I decide to go with the mysql-database. I have my PAP-clients running on the new mysql-radius setup but my CHAP clients are still failing. When I was running from the users-file, an entry would look like this: DEFAULT Auth-Type = MS-CHAP, Password == void, Calling-Station-ID == '27111' Framed-IP-Address = 1.2.3.4 but moving to mysql, I cannot have as usernames. So my radcheck table has john Auth-Type MS-CHAP john User-Password john john Calling-Station-ID 27111' When I run radiusd in debug mode, it says modcall : module sql returns ok for request 1 rlm_chap login attempt by john with CHAP-password rlm_chap: Using clear text password john for user john authentication rlm_chap : Password check failed Is there any othe rdebugging aids that I can switch on to see whats cooking ?? Thanks ! John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP on freeradius mysql
You're requiring MS-CHAP authentiation but the client is sending a CHAP authentication. They're not the same type of authentication. John Longland wrote: Hi all My freeradius server has been running for some time now and due to the users file getting a bit long, I decide to go with the mysql-database. I have my PAP-clients running on the new mysql-radius setup but my CHAP clients are still failing. When I was running from the users-file, an entry would look like this: DEFAULT Auth-Type = MS-CHAP, Password == void, Calling-Station-ID == '27111' Framed-IP-Address = 1.2.3.4 but moving to mysql, I cannot have as usernames. So my radcheck table has johnAuth-Type MS-CHAP john User-Password john johnCalling-Station-ID 27111' When I run radiusd in debug mode, it says modcall : module sql returns ok for request 1 rlm_chap login attempt by john with CHAP-password rlm_chap: Using clear text password john for user john authentication rlm_chap : Password check failed Is there any othe rdebugging aids that I can switch on to see whats cooking ?? Thanks ! John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RadSec
Hi! is RadSec implemented in FreeRadius? or it is planned to be done? Not yet, but since it is of some importance for some roaming infrastructures (specifically eduroam, www.eduroam.org), we'll hopefully be able to hire someone doing the work. Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit access to internet by mac using freeradius
Ali Jawad wrote: That would solve the problem of clients aqcuiring the IPs automatically but what about users who would enter the IPs statically. This is not a problem you can solve with radius if your switch doesn't support radius. Google for captive portal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bug in rlm_sql reconnect code??
Hello List, the following I have tested with freeradius 1.1.2 and 1.1.3 I run a radius-server as test environment. The server is connected to a mysql-database. After long idles the mysql-server drops the radius client connections. After that the reconnect fails as you can see in the following output from radiusd -X. The first packet gets a accept response, the following 2 packets get reject responses because the database queries fail. rlm_sql (AuthGuest): - sql_groupcmp radius_xlat: '000f1fcc8e87' rlm_sql (AuthGuest): sql_set_user escaped user -- '000f1fcc8e87' radius_xlat: 'SELECT GroupName FROM usergroup WHERE UserName='000f1fcc8e87'' rlm_sql (AuthGuest): Reserving sql socket id: 1 rlm_sql_mysql: query: SELECT GroupName FROM usergroup WHERE UserName='000f1fcc8e87' rlm_sql (AuthGuest): - sql_groupcmp finished: User belongs in group MAC rlm_sql (AuthGuest): Released sql socket id: 1 users: Matched entry DEFAULT at line 162 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [000f1fcc8e87] (from client noc4 port 0) Sending Access-Accept of id 10 to 134.95.129.28 port 1025 User-Name := Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 10 with timestamp 454aea03 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 134.95.129.28:1025, id=192, length=56 User-Name = 000f1fcc8e87 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Acct-Session-Id = 21c0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 rlm_sql (AuthGuest): - sql_groupcmp radius_xlat: '000f1fcc8e87' rlm_sql (AuthGuest): sql_set_user escaped user -- '000f1fcc8e87' radius_xlat: 'SELECT GroupName FROM usergroup WHERE UserName='000f1fcc8e87'' rlm_sql (AuthGuest): Reserving sql socket id: 0 rlm_sql_mysql: query: SELECT GroupName FROM usergroup WHERE UserName='000f1fcc8e87' rlm_sql_mysql: MYSQL check_error: 2006, returning SQL_DOWN rlm_sql (AuthGuest): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (AuthGuest): Connected new DB handle, #0 rlm_sql (AuthGuest): failed after re-connect rlm_sql (AuthGuest): Released sql socket id: 0 rlm_sql (AuthGuest): - sql_groupcmp finished: User does not belong in group ADMIN Invalid operator for item Sql-Group: reverting to '==' rlm_sql (AuthGuest): - sql_groupcmp radius_xlat: '000f1fcc8e87' rlm_sql (AuthGuest): sql_set_user escaped user -- '000f1fcc8e87' radius_xlat: 'SELECT GroupName FROM usergroup WHERE UserName='000f1fcc8e87'' rlm_sql (AuthGuest): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT GroupName FROM usergroup WHERE UserName='000f1fcc8e87' rlm_sql_mysql: MYSQL check_error: 2006, returning SQL_DOWN rlm_sql (AuthGuest): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (AuthGuest): Connected new DB handle, #4 rlm_sql (AuthGuest): failed after re-connect rlm_sql (AuthGuest): Released sql socket id: 4 rlm_sql (AuthGuest): - sql_groupcmp finished: User does not belong in group RZKR Invalid operator for item Sql-Group: reverting to '==' No huntgroup access: [000f1fcc8e87] (from client noc4 port 0) modcall[authorize]: module preprocess returns reject for request 1 modcall: leaving group authorize (returns reject) for request 1 Invalid user: [000f1fcc8e87/no User-Password attribute] (from client noc4 port 0) Delaying request 1 for 4 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 4 seconds... rad_recv: Access-Request packet from host 134.95.129.28:1025, id=192, length=56 Sending Access-Reject of id 192 to 134.95.129.28 port 1025 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 192 with timestamp 454b615d Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 134.95.129.28:1025, id=87, length=56 User-Name = 000f1fcc8e87 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Acct-Session-Id = 2657 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 rlm_sql (AuthGuest): - sql_groupcmp radius_xlat: '000f1fcc8e87' rlm_sql (AuthGuest): sql_set_user escaped user -- '000f1fcc8e87' radius_xlat: 'SELECT GroupName FROM usergroup WHERE UserName='000f1fcc8e87'' rlm_sql (AuthGuest): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT GroupName FROM usergroup WHERE UserName='000f1fcc8e87' rlm_sql_mysql: MYSQL check_error: 2006, returning SQL_DOWN rlm_sql (AuthGuest): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql:
Re: Freeradius hangs
If you had said this at the start, and posted the debug log, youwould have solved the problem a long time ago.This is even in the FAQ: http://wiki.freeradius.org/FAQ#The_NAS_seems_to_ignore_the_reply_of_the_radius_serverAlan DeKok. Alan, As you said, I tried with the option -i : radiusd --i ip_address_radius server -X But still i get the below error message at the radius server end, only one NIC is active now on the server. --- Walking the entire request list ---Waking up in 6 seconds...rad_recv: Access-Request packet from host 192.168.0.1:4754 , id=119,length=151Sending duplicate reply to client dlink:4754 - ID: 119Re-sending Access-Accept of id 219 to 192.168.0.1 port 4754 On the client side MSVPN dialer interface, i see the error message: Error 718:the connection was terminated becasue theremote computer didnt respond in timely manner. Thanks for your patience and co-operation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius hangs
Karthik R [EMAIL PROTECTED] wrote: But still i get the below error message at the radius server end, only one NIC is active now on the server. Then the problem isn't in the RADIUS server, is it? The server is responding to the NAS, but for some reason, the NAS isn't receiving the packet, or is discarding the packet. It's time to start using 'tcpdump' to see where the packets are going. Also look at firewall rules. But there's nothing more you can do to FreeRADIUS to fix the problem. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting-Response
Well i write becausei still hope for a categoric answer to the previous post about sending attributes in Accounting-Response! --If possible how to set or where to find some documentation about how structures in freeradius are built! --or if it's not possible(i don't know it's tooo dificult) say so!Hope i'm not too insistent and a good day!the previous post "A week ago i was trying to find out how can i add some attributes to accounting response from a MySQL backend! Alan DeKoK showed me that the mechanism wasn't very good and that i don't send the right attributes in accounting -response! We've made some work for optimisation but found out that we still need to send some attributes meaning:when sending accounting-stop the response from FreeRADIUS should be [-Command] // ex. play 'thanks for calling through us'[-Voice-Message-Promt]specific(from sql)- [-Session-Timeout](for accounting-start response)! The mechanism is complex and we don't see other solution but adding these attributes only in Accounting-Response! I understand that should be a unique standard for this but the rfc has reserves to send attributes in accountind-response and we've created a dictionary for this purpose so it shouldn't be any problems! The problem is, as i think, that FreeRADIUS doesn't have a configurable query for accounting-response as it has for authentication-response!I tried to find in the source the place to add the stuff i need but it seems that it will take to long to understand the complex strucutre of pointers used by developers!Anyway if someone can help thanks! " Cheap Talk? Check out Yahoo! Messenger's low PC-to-Phone call rates. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Response
Vasea Marii [EMAIL PROTECTED] wrote: Well i write because i still hope for a categoric answer to the previous post about sending attributes in Accounting-Response! You don't. If you want to, edit the source code. --If possible how to set or where to find some documentation about how structures in freeradius are built! If you know C, read the source. That's what everyone else does. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Server logs say users authenticate, but they don't (Now with more details!)
This isn't a duplicate, I've just included more information about our
configuration.
We have a Cisco AS5300 for our dialup pool. It is able to log into our new
FreeRadius server and make authentication requests, but users are not able
to authenticate.
It's very strange, because FreeRadius produces logs like this:
Thu Nov 2 11:06:24 2006 : Auth: Login OK: [XX/XX] (from client
dialup port 8)
But the client gets Error 691: Your username or password are incorrect.
I can tell that it's authenticating properly, because when a user gets
their password wrong, I see this instead:
Thu Nov 2 11:02:20 2006 : Auth: Login incorrect: [user1/somepass] (from
client dialup port 13)
Thu Nov 2 11:02:20 2006 : Auth: Login incorrect: [user1/somepass] (from
client dialup port 13)
We're using FreeRadius' mysql support for authentication, and I'm
absolutely positive that part is working fine. It even creates accounting
data in the database.
This is what we have in the users file:
DEFAULT Framed-Protocol == PPP, Simultaneous-Use == 1
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
and this is what radiusd.conf looks like without the comments:
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
user = freerad
group = freerad
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 256
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = after
nospace_pass = after
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = off
$INCLUDE ${confdir}/proxy.conf
# proxy.conf has:
# realm LOCAL {
#type= radius
#authhost= LOCAL
#accthost= LOCAL
#}
$INCLUDE ${confdir}/clients.conf
# clients.conf has:
# client XXX.XXX.XXX.XXX {
#secret = XX
#nastype = cisco
#shortname = dialup
#}
$INCLUDE ${confdir}/snmp.conf
# snmp.conf has nothing.
snmp= no
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
# eap.conf has:
# eap {
#default_eap_type = md5
#timer_expire = 60
#ignore_unknown_eap_types = no
#cisco_accounting_username_bug = no
#
#md5 {
#}
#
#leap {
#}
#
#gtc {
#auth_type = PAP
#}
#
#mschapv2 {
#}
#}
mschap {
authtype = MS-CHAP
}
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
}
$INCLUDE ${confdir}/sql.conf
# sql.conf has:
#
#sql {
#
#driver = rlm_sql_mysql
#server = localhost
#login = XX
#radius_db = XX
# password = XX
#acct_table1 = radacct
#acct_table2 = radacct
#postauth_table = radpostauth
#
Re: Another Installation Problem
Hi, The 'bz2' extension means that the tar file has been compressed. Use bunzip2 to decompress it, and you will get a tar file. little known factoid. on most modern versions of tar you can simply do tar xvf blah-blah.tar.bz2 and it will automatically detect the major compression methods - be it .Z, .gz or .bz2. note, no '-' and no 'j'/'z' - thats 2 less characters to type each time you do a tar operation...think of the savings on your keyboard and the resulting productivity gain! ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CVS problem
Hi, Anyway, it's fixed now. I'll have to put a cron job in to mail me if something screws up again. ideally code should check the database connection attempt and if it fails then it prints a more sane message for Joe Average to read such as 'site currently unavailable' rather than expose the backend errors ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Best practices for redundant servers
I've been struggling with this problem for a couple of weeks, and I thought I'd pass it along to the mailing list. Basically I'm trying to answer the following question. Given multiple identical dedicated servers each running Linux and MySQL, how can I configure FreeRADIUS for maximum stability, reliability, and performance? The question, it seems, is not as easy as is sounds. I have experience with running a single FreeRADIUS/MySQL server, and the configuration works well. So to move to multiple servers, I started by reading docs/configurable_failover and docs/load-balance.txt. As I was looking for both load-balancing and redundancy, I thought redundant-load-balance seemed like a slam-dunk. The idea was to have each instance of FreeRADIUS be redundant for each other, and for each instance of the MySQL back end to do the same. Therefore, I simply defined a redundant-load-balance block in each place in radiusd.conf where I had previously defined the sql module on each server. This worked for the most part, but now I'm starting to discover accounting issues. Some sessions will be recorded in both databases with the same AcctSessionId and AcctUniqueId, but with different AcctStopTimes. This seemed confusing to me, but given my shoot-from-the-hip first try at a redundant load-balancing configuration, I wasn't surprised to find problems. I looked around and couldn't find any best practice example config files or HOWTOs for this situation. That's when I decided to email the mailing list. So my question again, in short, is what would be the preferred method to configure FreeRADIUS/MySQL on multiple redundant servers? Any advise would be very helpful. Thanks. --Aaron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS and subnets
Hello everyone, is it possible to have NAS entries for a subnet, if so could someone give me an example Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS and subnets
Mike May [EMAIL PROTECTED] wrote: Hello everyone, is it possible to have NAS entries for a subnet, if so could someone give me an example raddb/clients.conf Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Server logs say users authenticate, but they don't (Now with more details!)
Title: RE: Server logs say users authenticate, but they don't (Now with more details!)
Is the server multihomed ?
It often happends that the server will recieve a request on one IP address and send out a reply using a different address with a multihomed system.
If your system has multiple IP addresses, u can set bind_address to the one you want to use.
Cheers
Paul
-Original Message-
From: [EMAIL PROTECTED] on behalf of Ernie Dunbar
Sent: Fri 11/3/2006 2:02 PM
To: freeradius-users@lists.freeradius.org
Subject: Server logs say users authenticate, but they don't (Now with more details!)
This isn't a duplicate, I've just included more information about our
configuration.
We have a Cisco AS5300 for our dialup pool. It is able to log into our new
FreeRadius server and make authentication requests, but users are not able
to authenticate.
It's very strange, because FreeRadius produces logs like this:
Thu Nov 2 11:06:24 2006 : Auth: Login OK: [XX/XX] (from client
dialup port 8)
But the client gets Error 691: Your username or password are incorrect.
I can tell that it's authenticating properly, because when a user gets
their password wrong, I see this instead:
Thu Nov 2 11:02:20 2006 : Auth: Login incorrect: [user1/somepass] (from
client dialup port 13)
Thu Nov 2 11:02:20 2006 : Auth: Login incorrect: [user1/somepass] (from
client dialup port 13)
We're using FreeRadius' mysql support for authentication, and I'm
absolutely positive that part is working fine. It even creates accounting
data in the database.
This is what we have in the users file:
DEFAULT Framed-Protocol == PPP, Simultaneous-Use == 1
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
and this is what radiusd.conf looks like without the comments:
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
user = freerad
group = freerad
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 256
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = after
nospace_pass = after
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = off
$INCLUDE ${confdir}/proxy.conf
# proxy.conf has:
# realm LOCAL {
# type = radius
# authhost = LOCAL
# accthost = LOCAL
#}
$INCLUDE ${confdir}/clients.conf
# clients.conf has:
# client XXX.XXX.XXX.XXX {
# secret = XX
# nastype = cisco
# shortname = dialup
#}
$INCLUDE ${confdir}/snmp.conf
# snmp.conf has nothing.
snmp = no
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
# eap.conf has:
# eap {
# default_eap_type = md5
# timer_expire = 60
# ignore_unknown_eap_types = no
# cisco_accounting_username_bug = no
#
# md5 {
# }
#
# leap {
# }
#
# gtc {
# auth_type = PAP
# }
#
# mschapv2 {
# }
# }
mschap {
authtype = MS-CHAP
}
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
}
$INCLUDE ${confdir}/sql.conf
# sql.conf has:
#
#sql {
#
# driver = rlm_sql_mysql
# server = localhost
# login = XX
# radius_db = XX
# password = XX
# acct_table1 = radacct
# acct_table2 = radacct
# postauth_table = radpostauth
# authcheck_table = radcheck
# authreply_table = radreply
# groupcheck_table = radgroupcheck
# groupreply_table = radgroupreply
# usergroup_table = usergroup
# deletestalesessions = yes
# sqltrace = yes
# sqltracefile = /var/log/freeradius/sqltrace.sql
# num_sql_socks = 5
# connect_failure_retry_delay = 60
# safe-characters =
@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /
#
Re: FreeRADIUS for Mac OS X
hi paul, i did a successful compile (at least without perl and sql modules as i did not have the development files installed) about a month ago. its just: ./configure --enable-develper make sudo make install then i had a working freeradius server! this too is mentioned in the wiki. regards markus Zitat von Paul Ammann [EMAIL PROTECTED]: Hi I'm looking for information for compiling / downloading FreeRADIUS for Mac OS X. I searched the list, and all the information seem outdated or inconclusive. Best regards, Paul -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Server logs say users authenticate, but they don't (Now with more details!)
No, it's not multihomed, but on a lark I tried it anyway (since there's
two network cards in it, but one isn't used). It still doesn't work.
Is the server multihomed ?
It often happends that the server will recieve a request on one IP address
and send out a reply using a different address with a multihomed system.
If your system has multiple IP addresses, u can set bind_address to the
one you want to use.
Cheers
Paul
-Original Message-
From:
[EMAIL PROTECTED]
on behalf of Ernie Dunbar
Sent: Fri 11/3/2006 2:02 PM
To: freeradius-users@lists.freeradius.org
Subject: Server logs say users authenticate, but they don't (Now with more
details!)
This isn't a duplicate, I've just included more information about our
configuration.
We have a Cisco AS5300 for our dialup pool. It is able to log into our new
FreeRadius server and make authentication requests, but users are not able
to authenticate.
It's very strange, because FreeRadius produces logs like this:
Thu Nov 2 11:06:24 2006 : Auth: Login OK: [XX/XX] (from client
dialup port 8)
But the client gets Error 691: Your username or password are incorrect.
I can tell that it's authenticating properly, because when a user gets
their password wrong, I see this instead:
Thu Nov 2 11:02:20 2006 : Auth: Login incorrect: [user1/somepass] (from
client dialup port 13)
Thu Nov 2 11:02:20 2006 : Auth: Login incorrect: [user1/somepass] (from
client dialup port 13)
We're using FreeRadius' mysql support for authentication, and I'm
absolutely positive that part is working fine. It even creates accounting
data in the database.
This is what we have in the users file:
DEFAULT Framed-Protocol == PPP, Simultaneous-Use == 1
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
and this is what radiusd.conf looks like without the comments:
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
user = freerad
group = freerad
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 256
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = after
nospace_pass = after
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = off
$INCLUDE ${confdir}/proxy.conf
# proxy.conf has:
# realm LOCAL {
#type= radius
#authhost= LOCAL
#accthost= LOCAL
#}
$INCLUDE ${confdir}/clients.conf
# clients.conf has:
# client XXX.XXX.XXX.XXX {
#secret = XX
#nastype = cisco
#shortname = dialup
#}
$INCLUDE ${confdir}/snmp.conf
# snmp.conf has nothing.
snmp= no
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
# eap.conf has:
# eap {
#default_eap_type = md5
#timer_expire = 60
#ignore_unknown_eap_types = no
#cisco_accounting_username_bug = no
#
#md5 {
#}
#
#leap {
#}
#
#gtc {
#auth_type = PAP
#}
#
#mschapv2 {
#}
#}
mschap {
authtype = MS-CHAP
}
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
Re: Server logs say users authenticate, but they don't (Now with more details!)
Ernie Dunbar wrote: No, it's not multihomed, but on a lark I tried it anyway (since there's two network cards in it, but one isn't used). It still doesn't work. G'day Ernie, Can you sniff on the AS5300 and ensure the Access-Accept packets are arriving before the 3 second (default) timeout? Does it work if you temporarily disable the Simultaneous-Use check? -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
