Reject reason
I am authenticating users based on Calling-Station-Id in addition to password. All accepts and rejects are logged to the postauth table in my database. But I cannot see why the user got rejected, if it was wrong Calling-Station-Id or wrong password. Any ideas? Cheers, Jørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Queries apear in Dialup_admin page
Thanks...it resolve the problem. -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Richard Cotrina Enviada: quinta-feira, 9 de Novembro de 2006 17:42 Para: FreeRadius users mailing list Assunto: Re: Queries apear in Dialup_admin page Take a look at your conf/admin.conf file in the dialup_admin directory, and disable sql or ldap debug ( depends on what you are using ): ldap_debug: false sql_debug: false regards On Thu, 9 Nov 2006, CASTANHEIRA, Nuno Osvaldo wrote: Hi, i have a strange problem in my freeradius with dialup_admin interface. When i choose the fields, statistics, user statistics, online users, radius clients .etc, the queries apear in Dialup_Admin page... very strange. Can anyone tell me what i´m i doing wrong. Sorry for my english. Thanks. Nuno Castanheira REFERTELECOM E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql multiple instances handling of
Hi, I have a problem where I need a lot of threads to catch accounting data, a lot of threads means a lot of DB handles. Alas this means more than 256 db handles which is the limit for rlm_sql. My thoughts therefore was to instantiate multiple rlm_sql modules to increase the number of db handles availible.However I am wondering on how to now use this. This system is purely for accounting. If I say put in the accounting stanza:sql1sql2sqlnWill the accounting packet be sent to all sql instanses in turn, or just the 1st one that succeeds ? and then not any further ? Will a "no free db handles" error from sql1 lead to sql2 being attempted ?Thanks in advance - Graeme Hinchliffe (BSc) Core Systems Designer Zen Internet (http://www.zen.co.uk/) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
networkaddresses in huntgroupfile
Hi, is there a way to define networks in the huntgroupfile, something like name == 10.0.0.1/24 Hans -- Hans Bornemann Universitaet Dortmund - Hochschulrechenzentrum Tel. ++49 231 755 2132 Fax. ++49 231 755 2731 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help configureing a proxium Tsunami MP.11 5054-R and free radius
Hi:
really simple question here...
in my user file I have
0020A666B9E6Auth-Type := local,User-Password :=qwerty1
in my clients.conf file I have
client 172.16.20.18 {
secret = qwerty1
shortname = base
}
my show system on the Tsunami is
System Name :base
System Mode :bridge
Descriptor:Tsunami MP.11 5054-R v2.3.0(169)
SN-06UT30570483
Location :BLANKED OUT by ME
Contact Name :xx
Contact Email :[EMAIL PROTECTED]
Contact Number:+xxx xx
Up Time (DD:HH:MM:SS) :0:0:46:6
System OID:1.3.6.1.4.1.11898.2.4.9
Ethernet MAC Address :00:20:A6:66:B9:E6
Country :ZA
System Flash Backup Interval :120
Device HW Type:Outdoor
now when I reboot the modem I get the following error when I do a radius -XX
Waking up in 31 seconds...
Thread 1 got semaphore
Thread 1 handling request 0, (1 handled so far)
User-Name = 0020a6-66b9e6
User-Password = qwerty1
NAS-IP-Address = 172.16.20.18
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = 0020a6-66b9e6, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
modcall[authorize]: module files returns notfound for request 0
modcall: leaving group authorize (returns ok) for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [0020a6-66b9e6/qwerty1] (from client base port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
Thread 1 waiting to be assigned a request
rad_recv: Access-Request packet from host 172.16.20.18:6001, id=1, length=65
Sending Access-Reject of id 1 to 172.16.20.18 port 6001
--- Walking the entire request list ---
Cleaning up request 0 ID 1 with timestamp 455489dd
Nothing to do. Sleeping until we see a request.
Now what am I doing wrong?
Please any and all help is greatly appreciated
Cameron
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR-1.1.3 on solaris10 strange things
On Wed, 2006-11-08 at 14:56 -0500, Alan DeKok wrote: Alexander Serkin [EMAIL PROTECTED] wrote: May be someone could give an advice how to debug the problem while the server will not be in production? Attach to it with gdb, and see what it's doing. Or use the 'truss' command to see what is going on. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup_admin+ldap+sql
Hi, I saw that dialup_admin can use ldap or SQL to manage users. I'd like to know if i can, using dialup-admin: 1- authenticate users with ldap and add in the radius server answer per user attributesthat are stored in my sqlDB. 2- authenticate users with ldap and add in the radius server answer attributes depending on the nas hintgroups and ldap-group. i alreadydid this with freeradius users configuration file andnow i'd like to addnew usersor default usersusing only a GUI: see my users file: Robert Auth-Type = LDAP service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=1" DEFAULT Ldap-Group == "ou=admin,ou=groupe,dc=company,dc=com", Huntgroup-Name == "alphen" service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15" thank you for your help Thomas- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius 1.1.3 and PHPMyPrepaid
I was wondering if anyone has worked the two of these together happily? I've managed to get Radius configured and running (Thanks guys!). But I can't login with a phpmyprepaid user - If I create my own user (very simplistic) it works, with no worries, otherwise the user is rejected because of a value in the database. Here is an example of the database records. radcheck is the table. The create table statement is as follows: CREATE TABLE `radcheck` ( `id` int(11) unsigned NOT NULL auto_increment, `UserName` varchar(64) NOT NULL default '', `FirstName` varchar(40) NOT NULL default '', `LastName` varchar(40) NOT NULL default '', `CustID` varchar(5) NOT NULL default '', `Attribute` varchar(32) NOT NULL default '', `op` char(2) NOT NULL default '==', `Value` varchar(253) NOT NULL default '', `CrDate` timestamp NOT NULL default '-00-00 00:00:00', `creator` varchar(20) default 'NULL', `Location` smallint(4) default '0', `activated` smallint(4) NOT NULL default '0', `activeDate` timestamp NOT NULL default '-00-00 00:00:00', `status` smallint(4) NOT NULL default '0', `rate` smallint(4) NOT NULL default '1', `Type` varchar(50) NOT NULL default '', `BillingPlan` smallint(4) NOT NULL default '0', `TimeToFinish` smallint(1) NOT NULL default '0', PRIMARY KEY (`id`), KEY `UserName` (`UserName`(32)) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=67 ; id 1 works - username michelle, id 2 fails and the reason given when running radiusd -X is that it doesn't recognize Max-All-Session. Have I missed something in the configuration that would set that up for me? Or am I whistling up a tree trying to get phpmyprepaid to work? I will admit that it wasn't pleasant getting oddities to work for me in phpmyprepaid, there were a lot of little things in the code that drove me bonkers I am also using DD-WRT on a Linksys, Chillispot, and FreeRadius1.1.3 on CentOS. INSERT INTO `radcheck` (`id`, `UserName`, `FirstName`, `LastName`, `CustID`, `Attribute`, `op`, `Value`, `CrDate`, `creator`, `Location`, `activated`, `activeDate`, `status`, `rate`, `Type`, `BillingPlan`, `TimeToFinish`) VALUES (*1, 'michelle', 'michelle', 'manning', '1', 'Password', ':=', 'michelle', '-00-00 00:00:00', 'NULL', 0, 0, '-00-00 00:00:00', 0, 1, '', 0, 0)*, (2, 'tansel6', '', 'tansel6', '', 'Password', ':=', 'tansel6', '2006-11-09 16:01:52', 'admin', 1, 0, '-00-00 00:00:00', 0, 1, 'Hourly', 1, 0), (3, 'tansel6', '', 'tansel6', '', 'Simultaneous-Use', ':=', '1', '2006-11-09 16:01:52', 'admin', 1, 0, '-00-00 00:00:00', 0, 1, 'Hourly', 1, 0), (4, 'tansel6', '', 'tansel6', '', '*Max-All-Session*', ':=', '1800', '2006-11-09 16:01:52', 'admin', 1, 0, '-00-00 00:00:00', 0, 1, 'Hourly', 1, 0), (5, 'tansel6', '', 'tansel6', '', 'WISPr-Location-ID', ':=', '1', '2006-11-09 16:01:52', 'admin', 1, 0, '-00-00 00:00:00', 0, 1, 'Hourly', 1, 0), (6, 'tansel6', '', 'tansel6', '', 'Expiration', ':=', '09 May 2007 00:00:00', '2006-11-09 16:01:52', 'admin', 1, 0, '-00-00 00:00:00', 0, 1, 'Hourly', 1, 0), - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Discarding new rquests and CPU eats 99.9%
=?iso-8859-9?Q?Cihan_DEM=DDR?= [EMAIL PROTECTED] wrote: We're using 0.9.3 version on RedHat. ... Any comment? Thanks in advance. Upgrade. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject reason
=?iso-8859-1?Q?J=F8rn_Kost=F8l_Gundersen?= [EMAIL PROTECTED] wrote: But I cannot see why the user got rejected, if it was wrong Calling-Station-Id or wrong password. There are any number of reasons why a user may be rejected. Logging all of them is problematic, especially when the user is being rejected for multiple reasons. The short answer is no, it's difficult to tell why they were rejected. You'll have to instrument the server to print out that information. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help configureing a proxium Tsunami MP.11 5054-R and free radius
Cameron Cowie [EMAIL PROTECTED] wrote: in my user file I have 0020A666B9E6Auth-Type := local,User-Password :=qwerty1 ... Thread 1 handling request 0, (1 handled so far) User-Name = 0020a6-66b9e6 It's not the same username. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sync hungroups, clients files, users across multiple servers
Greets! What is a good way or considered best practice for folks to sync changes to critical files in use by radius like huntgroups and clients.conf and users across multiple RADIUS servers. I am not using MySQL backend, but rather relaying requests for auth off to PAM which checks against a samba/NT-Domain, thus the user account existing locally on the server. With several servers it becomes a PIA and can lead to misconfiguration errors due to human data entry when you have to enter everything into each server. Does anyone want to share a script they have written to do this? Thanks! -Charles Master timed out! Holding election... I am declaring myself the master! CONFIDENTIAL NOTICE: This email including any attachments, contains confidential information belonging to the sender. It may also be privileged or otherwise protected by work product immunity or other legal rules. This information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance on the contents of this emailed information is strictly prohibited. If you have received this email in error, please immediately notify us by reply email of the error and then delete this email immediately. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sync hungroups, clients files, users across multiple servers
Hi, Greets! What is a good way or considered best practice for folks to sync changes to critical files in use by radius like huntgroups and clients.conf and users across multiple RADIUS servers. I am not using MySQL backend, but rather relaying requests for auth off to PAM which checks against a samba/NT-Domain, thus the user account existing locally on the server. With several servers it becomes a PIA and can lead to misconfiguration errors due to human data entry when you have to enter everything into each server. Does anyone want to share a script they have written to do this? you could use rsync, http://samba.anu.edu.au/rsync/ or subversion, http://subversion.tigris.org/ and actually keep your configurations all held on such a central repository. you can then actually update the configuration from any one of your servers and get them all to autometically get the latest version... be that with a frequent cronjob that checks for changes (and if there have been any, download them!) or from a forced update. this way you also have a centralised way of seeing what changed, when and who by. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Discarding new rquests and CPU eats 99.9%
Hi,
=?iso-8859-9?Q?Cihan_DEM=DDR?= [EMAIL PROTECTED] wrote:
We're using 0.9.3 version on RedHat.
...
Any comment? Thanks in advance.
Upgrade.
and to back Alan up, you really should upgrade:
# 2006.03.20 v1.0.5, and v1.1.0 - A validation issue exists with the
EAP-MSCHAPv2 module in all versions from 1.0.0 (where the module first
appeared) to 1.1.0. Insufficient input validation was being done in the
EAP-MSCHAPv2 state machine. A malicious attacker could manipulate their
EAP-MSCHAPv2 client state machine to potentially convince the server to bypass
authentication checks. This bypassing could also result in the server crashing.
We recommend that administrators upgrade immediately.
# 2005.09.09 v1.0.3, v1.0.4 - Multiple issues exist with version 1.0.4, and all
prior versions of the server. Externally exploitable vulnerabilities exist only
for sites that use the rlm_sqlcounter module. Those sites may be vulnerable to
SQL injection attacks, similar to the issues noted below. All sites that have
not deployed the rlm_sqlcounter module are not vulnerable to external exploits.
However, we still recommend that all sites upgrade to version 1.0.5.
The issues are:
* SQL Injection attack in the rlm_sqlcounter module.
* Buffer overflow in the rlm_sqlcounter module, that may cause a server
crash.
* Buffer overflow while expanding %t, that may cause a server crash.
These issues were found by Primoz Bratanic. As the rlm_sqlcounter module is
marked experimental in the server source, it is not enabled or configured in
most sites. As a result, we believe that the number of vulnerable sites is low.
Additional issues, not externally exploitable, were found by Suse. A full
response to their report is available here. A related post to the vendor-sec
mailing list is found here.
# 2005.05.01 v1.0.1, v1.0.2 - Two vulnerabilities in the SQL module exist in
all versions prior to 1.0.3. Sites not using the SQL module are not affected by
this issue. However, we still recommend that all sites upgrade to version 1.0.3.
The issues are:
* Buffer overflow - A long string could overflow an internal buffer in the
SQL module, and write two bytes of text [0-9a-f] past the end of the buffer.
The server may exit when this happens, resulting in a DoS attack. Depending on
the local configuration of the server, this may occur before a user is
authenticated. This vulnerability is externally exploitable, but can not result
in the execution of arbitrary code.
* SQL injection attacks - The SQL module suffers from SQL injection attacks
in the group_membership_query, simul_count_query, and simul_verify_query
configuration entries. The first query is exploitable if your site is
configured to use the SQL-Group attribute in any module in the authorize
section of radiusd.conf. The last two queries are exploitable only if your site
has user names that contain a single quote character (').
# 2004.09.14 v1.0.0 - Multiple external DoS attacks exist in the server. These
are related to the attacks below, in 0.9.2, but were not caught then. The
vulnerabilities are fixed in 1.0.1, and in all later versions of the server.
The vulnerabilities are not exploitable, but can be used to remotely crash the
server.
# 2003.11.20 v0.9.3 - There is an externally exploitable root compromise in
rlm_smb, through a stack overflow when a password greater than 128 bytes
referenced by the module. The module is not built or installed by default, so
we have not released a 0.9.4. This vulnerability is fixed in the CVS snapshots,
and will be included in any later release of the server.
- PS i know redhat have done backporting of various fixes - but we have no idea
exactly which backports and since
the resulting '0.9.3' code is different to the native 0.9.3 code, any bugs may
well be because of the Redhat changes
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: sync hungroups, clients files, users across multiple servers
That is exactly what I want to do! I just started using subversion with RANCID and am not very knowledgeable about svn. How can I get a 'diff' spread around like that? I am thinking about what you have said and it could be completely wrong, 1. A change is commited on a watched file like 'huntgroups.' 2. A local script diffs it against a remote subversion repo copy (or a local copy?) via a cron job 3. The diff gets checked in to svn. 4. The scripts on the other RADIUS servers then notice the diff in the repo copy and apply it to their own files? Sounds like I need to build up my script writing skills... Regards, -Charles Master timed out! Holding election... I am declaring myself the master! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 10, 2006 3:20 PM To: FreeRadius users mailing list Subject: Re: sync hungroups, clients files, users across multiple servers Hi, Greets! What is a good way or considered best practice for folks to sync changes to critical files in use by radius like huntgroups and clients.conf and users across multiple RADIUS servers. I am not using MySQL backend, but rather relaying requests for auth off to PAM which checks against a samba/NT-Domain, thus the user account existing locally on the server. With several servers it becomes a PIA and can lead to misconfiguration errors due to human data entry when you have to enter everything into each server. Does anyone want to share a script they have written to do this? you could use rsync, http://samba.anu.edu.au/rsync/ or subversion, http://subversion.tigris.org/ and actually keep your configurations all held on such a central repository. you can then actually update the configuration from any one of your servers and get them all to autometically get the latest version... be that with a frequent cronjob that checks for changes (and if there have been any, download them!) or from a forced update. this way you also have a centralised way of seeing what changed, when and who by. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CONFIDENTIAL NOTICE: This email including any attachments, contains confidential information belonging to the sender. It may also be privileged or otherwise protected by work product immunity or other legal rules. This information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance on the contents of this emailed information is strictly prohibited. If you have received this email in error, please immediately notify us by reply email of the error and then delete this email immediately. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Choice database
Hi, I am setting up my first radius server, and I have two databases. Someone could tell me if there is a file in freeradius where I can choice what database I will to use?Thanks a lot,Marilene - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[3]: limiting sessions
...
DELETE FROM radius.usergroup WHERE GroupName = 'aroma'
THEN...
INSERT INTO radius.usergroup (UserName, CreationDate, GroupName)
VALUES ('username0001', (CURRENT_DATE), 'aroma');
repeated for all 500 usernames...
I think this should work, as all the usernames in use are stored in
radcheck and I'm not touching that table at all. Worst case scenario,
users continue to authenticate without a session limit and I go back
to work...
DOES THIS SOUND RIGHT?
Andrew
Well I think all the gurus let me swim alone on this one, and it
all worked out... now we have our 30 minutes session limits working!
Kevin... thanks for the clue!
Andrew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to handle EAP/LDAP or files with same server
I'm trying to finally rid myself of Cisco ACS with FR 1.1.3 and
mostly having great success (performance is so much better!) but
can't seem to figure out how to handle two different types of
wireless authentication in separate non-overlapping ways.
Case 1 is EAP/TLS where user ID (email address from cleint cert) is
also looked up via LDAP.
Case 2 is MAC authentication using the users file.
I have both of these working with one issuse, MACs that are not in
the users file are being sent to LDAP server adding unnecessary load.
authorize {
preprocess
files
ldap {
notfound = return
}
eap
}
The solution I can think of is to only send user name's that are
email addresses to ldap. Is this something that can be done with a
proxy conf and realms? I'm having trouble understanding if/how those
can influence the authorize section.
Thanks,
-Keith
Keith Moores mailto:[EMAIL PROTECTED]
Network Systems
ITC-Communications and Systems Division
University of Virginia, ITC-2015 Ivy RdPhone (434) 924-0621
Box 400324, Charlottesville, VA 22904-4324 Fax(434) 982-4715
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to handle EAP/LDAP or files with same server
Keith Moores [EMAIL PROTECTED] wrote:
I have both of these working with one issuse, MACs that are not in
the users file are being sent to LDAP server adding unnecessary load.
One solution is to recognize MAC's, and NOT look them up in LDAP.
Another is to recognize email addresses, and cause them to be looked
up in LDAP.
The solution I can think of is to only send user name's that are
email addresses to ldap. Is this something that can be done with a
proxy conf and realms?
No.
This should work:
#-- users file
DEFAULT User-Name =~ @, EAP-Message =* 0x00, Autz-Type := email
#---
#--- radiusd.conf
authorize {
preprocess
files
Autz-Type email {
ldap
eap
}
}
#---
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Choice database
sql.conf on /usr/local/etc/raddb while you are at it, look at the other .conf file too. --- Marilene Lima [EMAIL PROTECTED] wrote: Hi, I am setting up my first radius server, and I have two databases. Someone could tell me if there is a file in freeradius where I can choice what database I will to use? Thanks a lot, Marilene - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Apu Islam ( E Pluribus Unum) Want to start your own business? Learn how on Yahoo! Small Business. http://smallbusiness.yahoo.com/r-index - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
