Reject reason
I am authenticating users based on Calling-Station-Id in addition to password. All accepts and rejects are logged to the postauth table in my database. But I cannot see why the user got rejected, if it was wrong Calling-Station-Id or wrong password. Any ideas? Cheers, Jørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Queries apear in Dialup_admin page
Thanks...it resolve the problem. -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Richard Cotrina Enviada: quinta-feira, 9 de Novembro de 2006 17:42 Para: FreeRadius users mailing list Assunto: Re: Queries apear in Dialup_admin page Take a look at your conf/admin.conf file in the dialup_admin directory, and disable sql or ldap debug ( depends on what you are using ): ldap_debug: false sql_debug: false regards On Thu, 9 Nov 2006, CASTANHEIRA, Nuno Osvaldo wrote: Hi, i have a strange problem in my freeradius with dialup_admin interface. When i choose the fields, statistics, user statistics, online users, radius clients .etc, the queries apear in Dialup_Admin page... very strange. Can anyone tell me what i´m i doing wrong. Sorry for my english. Thanks. Nuno Castanheira REFERTELECOM E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql multiple instances handling of
Hi, I have a problem where I need a lot of threads to catch accounting data, a lot of threads means a lot of DB handles. Alas this means more than 256 db handles which is the limit for rlm_sql. My thoughts therefore was to instantiate multiple rlm_sql modules to increase the number of db handles availible.However I am wondering on how to now use this. This system is purely for accounting. If I say put in the accounting stanza:sql1sql2sqlnWill the accounting packet be sent to all sql instanses in turn, or just the 1st one that succeeds ? and then not any further ? Will a "no free db handles" error from sql1 lead to sql2 being attempted ?Thanks in advance - Graeme Hinchliffe (BSc) Core Systems Designer Zen Internet (http://www.zen.co.uk/) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
networkaddresses in huntgroupfile
Hi, is there a way to define networks in the huntgroupfile, something like name == 10.0.0.1/24 Hans -- Hans Bornemann Universitaet Dortmund - Hochschulrechenzentrum Tel. ++49 231 755 2132 Fax. ++49 231 755 2731 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help configureing a proxium Tsunami MP.11 5054-R and free radius
Hi: really simple question here... in my user file I have 0020A666B9E6Auth-Type := local,User-Password :=qwerty1 in my clients.conf file I have client 172.16.20.18 { secret = qwerty1 shortname = base } my show system on the Tsunami is System Name :base System Mode :bridge Descriptor:Tsunami MP.11 5054-R v2.3.0(169) SN-06UT30570483 Location :BLANKED OUT by ME Contact Name :xx Contact Email :[EMAIL PROTECTED] Contact Number:+xxx xx Up Time (DD:HH:MM:SS) :0:0:46:6 System OID:1.3.6.1.4.1.11898.2.4.9 Ethernet MAC Address :00:20:A6:66:B9:E6 Country :ZA System Flash Backup Interval :120 Device HW Type:Outdoor now when I reboot the modem I get the following error when I do a radius -XX Waking up in 31 seconds... Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) User-Name = 0020a6-66b9e6 User-Password = qwerty1 NAS-IP-Address = 172.16.20.18 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = 0020a6-66b9e6, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 modcall[authorize]: module files returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [0020a6-66b9e6/qwerty1] (from client base port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request Thread 1 waiting to be assigned a request rad_recv: Access-Request packet from host 172.16.20.18:6001, id=1, length=65 Sending Access-Reject of id 1 to 172.16.20.18 port 6001 --- Walking the entire request list --- Cleaning up request 0 ID 1 with timestamp 455489dd Nothing to do. Sleeping until we see a request. Now what am I doing wrong? Please any and all help is greatly appreciated Cameron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR-1.1.3 on solaris10 strange things
On Wed, 2006-11-08 at 14:56 -0500, Alan DeKok wrote: Alexander Serkin [EMAIL PROTECTED] wrote: May be someone could give an advice how to debug the problem while the server will not be in production? Attach to it with gdb, and see what it's doing. Or use the 'truss' command to see what is going on. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup_admin+ldap+sql
Hi, I saw that dialup_admin can use ldap or SQL to manage users. I'd like to know if i can, using dialup-admin: 1- authenticate users with ldap and add in the radius server answer per user attributesthat are stored in my sqlDB. 2- authenticate users with ldap and add in the radius server answer attributes depending on the nas hintgroups and ldap-group. i alreadydid this with freeradius users configuration file andnow i'd like to addnew usersor default usersusing only a GUI: see my users file: Robert Auth-Type = LDAP service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=1" DEFAULT Ldap-Group == "ou=admin,ou=groupe,dc=company,dc=com", Huntgroup-Name == "alphen" service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15" thank you for your help Thomas- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius 1.1.3 and PHPMyPrepaid
I was wondering if anyone has worked the two of these together happily? I've managed to get Radius configured and running (Thanks guys!). But I can't login with a phpmyprepaid user - If I create my own user (very simplistic) it works, with no worries, otherwise the user is rejected because of a value in the database. Here is an example of the database records. radcheck is the table. The create table statement is as follows: CREATE TABLE `radcheck` ( `id` int(11) unsigned NOT NULL auto_increment, `UserName` varchar(64) NOT NULL default '', `FirstName` varchar(40) NOT NULL default '', `LastName` varchar(40) NOT NULL default '', `CustID` varchar(5) NOT NULL default '', `Attribute` varchar(32) NOT NULL default '', `op` char(2) NOT NULL default '==', `Value` varchar(253) NOT NULL default '', `CrDate` timestamp NOT NULL default '-00-00 00:00:00', `creator` varchar(20) default 'NULL', `Location` smallint(4) default '0', `activated` smallint(4) NOT NULL default '0', `activeDate` timestamp NOT NULL default '-00-00 00:00:00', `status` smallint(4) NOT NULL default '0', `rate` smallint(4) NOT NULL default '1', `Type` varchar(50) NOT NULL default '', `BillingPlan` smallint(4) NOT NULL default '0', `TimeToFinish` smallint(1) NOT NULL default '0', PRIMARY KEY (`id`), KEY `UserName` (`UserName`(32)) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=67 ; id 1 works - username michelle, id 2 fails and the reason given when running radiusd -X is that it doesn't recognize Max-All-Session. Have I missed something in the configuration that would set that up for me? Or am I whistling up a tree trying to get phpmyprepaid to work? I will admit that it wasn't pleasant getting oddities to work for me in phpmyprepaid, there were a lot of little things in the code that drove me bonkers I am also using DD-WRT on a Linksys, Chillispot, and FreeRadius1.1.3 on CentOS. INSERT INTO `radcheck` (`id`, `UserName`, `FirstName`, `LastName`, `CustID`, `Attribute`, `op`, `Value`, `CrDate`, `creator`, `Location`, `activated`, `activeDate`, `status`, `rate`, `Type`, `BillingPlan`, `TimeToFinish`) VALUES (*1, 'michelle', 'michelle', 'manning', '1', 'Password', ':=', 'michelle', '-00-00 00:00:00', 'NULL', 0, 0, '-00-00 00:00:00', 0, 1, '', 0, 0)*, (2, 'tansel6', '', 'tansel6', '', 'Password', ':=', 'tansel6', '2006-11-09 16:01:52', 'admin', 1, 0, '-00-00 00:00:00', 0, 1, 'Hourly', 1, 0), (3, 'tansel6', '', 'tansel6', '', 'Simultaneous-Use', ':=', '1', '2006-11-09 16:01:52', 'admin', 1, 0, '-00-00 00:00:00', 0, 1, 'Hourly', 1, 0), (4, 'tansel6', '', 'tansel6', '', '*Max-All-Session*', ':=', '1800', '2006-11-09 16:01:52', 'admin', 1, 0, '-00-00 00:00:00', 0, 1, 'Hourly', 1, 0), (5, 'tansel6', '', 'tansel6', '', 'WISPr-Location-ID', ':=', '1', '2006-11-09 16:01:52', 'admin', 1, 0, '-00-00 00:00:00', 0, 1, 'Hourly', 1, 0), (6, 'tansel6', '', 'tansel6', '', 'Expiration', ':=', '09 May 2007 00:00:00', '2006-11-09 16:01:52', 'admin', 1, 0, '-00-00 00:00:00', 0, 1, 'Hourly', 1, 0), - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Discarding new rquests and CPU eats 99.9%
=?iso-8859-9?Q?Cihan_DEM=DDR?= [EMAIL PROTECTED] wrote: We're using 0.9.3 version on RedHat. ... Any comment? Thanks in advance. Upgrade. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject reason
=?iso-8859-1?Q?J=F8rn_Kost=F8l_Gundersen?= [EMAIL PROTECTED] wrote: But I cannot see why the user got rejected, if it was wrong Calling-Station-Id or wrong password. There are any number of reasons why a user may be rejected. Logging all of them is problematic, especially when the user is being rejected for multiple reasons. The short answer is no, it's difficult to tell why they were rejected. You'll have to instrument the server to print out that information. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help configureing a proxium Tsunami MP.11 5054-R and free radius
Cameron Cowie [EMAIL PROTECTED] wrote: in my user file I have 0020A666B9E6Auth-Type := local,User-Password :=qwerty1 ... Thread 1 handling request 0, (1 handled so far) User-Name = 0020a6-66b9e6 It's not the same username. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sync hungroups, clients files, users across multiple servers
Greets! What is a good way or considered best practice for folks to sync changes to critical files in use by radius like huntgroups and clients.conf and users across multiple RADIUS servers. I am not using MySQL backend, but rather relaying requests for auth off to PAM which checks against a samba/NT-Domain, thus the user account existing locally on the server. With several servers it becomes a PIA and can lead to misconfiguration errors due to human data entry when you have to enter everything into each server. Does anyone want to share a script they have written to do this? Thanks! -Charles Master timed out! Holding election... I am declaring myself the master! CONFIDENTIAL NOTICE: This email including any attachments, contains confidential information belonging to the sender. It may also be privileged or otherwise protected by work product immunity or other legal rules. This information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance on the contents of this emailed information is strictly prohibited. If you have received this email in error, please immediately notify us by reply email of the error and then delete this email immediately. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sync hungroups, clients files, users across multiple servers
Hi, Greets! What is a good way or considered best practice for folks to sync changes to critical files in use by radius like huntgroups and clients.conf and users across multiple RADIUS servers. I am not using MySQL backend, but rather relaying requests for auth off to PAM which checks against a samba/NT-Domain, thus the user account existing locally on the server. With several servers it becomes a PIA and can lead to misconfiguration errors due to human data entry when you have to enter everything into each server. Does anyone want to share a script they have written to do this? you could use rsync, http://samba.anu.edu.au/rsync/ or subversion, http://subversion.tigris.org/ and actually keep your configurations all held on such a central repository. you can then actually update the configuration from any one of your servers and get them all to autometically get the latest version... be that with a frequent cronjob that checks for changes (and if there have been any, download them!) or from a forced update. this way you also have a centralised way of seeing what changed, when and who by. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Discarding new rquests and CPU eats 99.9%
Hi, =?iso-8859-9?Q?Cihan_DEM=DDR?= [EMAIL PROTECTED] wrote: We're using 0.9.3 version on RedHat. ... Any comment? Thanks in advance. Upgrade. and to back Alan up, you really should upgrade: # 2006.03.20 v1.0.5, and v1.1.0 - A validation issue exists with the EAP-MSCHAPv2 module in all versions from 1.0.0 (where the module first appeared) to 1.1.0. Insufficient input validation was being done in the EAP-MSCHAPv2 state machine. A malicious attacker could manipulate their EAP-MSCHAPv2 client state machine to potentially convince the server to bypass authentication checks. This bypassing could also result in the server crashing. We recommend that administrators upgrade immediately. # 2005.09.09 v1.0.3, v1.0.4 - Multiple issues exist with version 1.0.4, and all prior versions of the server. Externally exploitable vulnerabilities exist only for sites that use the rlm_sqlcounter module. Those sites may be vulnerable to SQL injection attacks, similar to the issues noted below. All sites that have not deployed the rlm_sqlcounter module are not vulnerable to external exploits. However, we still recommend that all sites upgrade to version 1.0.5. The issues are: * SQL Injection attack in the rlm_sqlcounter module. * Buffer overflow in the rlm_sqlcounter module, that may cause a server crash. * Buffer overflow while expanding %t, that may cause a server crash. These issues were found by Primoz Bratanic. As the rlm_sqlcounter module is marked experimental in the server source, it is not enabled or configured in most sites. As a result, we believe that the number of vulnerable sites is low. Additional issues, not externally exploitable, were found by Suse. A full response to their report is available here. A related post to the vendor-sec mailing list is found here. # 2005.05.01 v1.0.1, v1.0.2 - Two vulnerabilities in the SQL module exist in all versions prior to 1.0.3. Sites not using the SQL module are not affected by this issue. However, we still recommend that all sites upgrade to version 1.0.3. The issues are: * Buffer overflow - A long string could overflow an internal buffer in the SQL module, and write two bytes of text [0-9a-f] past the end of the buffer. The server may exit when this happens, resulting in a DoS attack. Depending on the local configuration of the server, this may occur before a user is authenticated. This vulnerability is externally exploitable, but can not result in the execution of arbitrary code. * SQL injection attacks - The SQL module suffers from SQL injection attacks in the group_membership_query, simul_count_query, and simul_verify_query configuration entries. The first query is exploitable if your site is configured to use the SQL-Group attribute in any module in the authorize section of radiusd.conf. The last two queries are exploitable only if your site has user names that contain a single quote character ('). # 2004.09.14 v1.0.0 - Multiple external DoS attacks exist in the server. These are related to the attacks below, in 0.9.2, but were not caught then. The vulnerabilities are fixed in 1.0.1, and in all later versions of the server. The vulnerabilities are not exploitable, but can be used to remotely crash the server. # 2003.11.20 v0.9.3 - There is an externally exploitable root compromise in rlm_smb, through a stack overflow when a password greater than 128 bytes referenced by the module. The module is not built or installed by default, so we have not released a 0.9.4. This vulnerability is fixed in the CVS snapshots, and will be included in any later release of the server. - PS i know redhat have done backporting of various fixes - but we have no idea exactly which backports and since the resulting '0.9.3' code is different to the native 0.9.3 code, any bugs may well be because of the Redhat changes alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: sync hungroups, clients files, users across multiple servers
That is exactly what I want to do! I just started using subversion with RANCID and am not very knowledgeable about svn. How can I get a 'diff' spread around like that? I am thinking about what you have said and it could be completely wrong, 1. A change is commited on a watched file like 'huntgroups.' 2. A local script diffs it against a remote subversion repo copy (or a local copy?) via a cron job 3. The diff gets checked in to svn. 4. The scripts on the other RADIUS servers then notice the diff in the repo copy and apply it to their own files? Sounds like I need to build up my script writing skills... Regards, -Charles Master timed out! Holding election... I am declaring myself the master! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 10, 2006 3:20 PM To: FreeRadius users mailing list Subject: Re: sync hungroups, clients files, users across multiple servers Hi, Greets! What is a good way or considered best practice for folks to sync changes to critical files in use by radius like huntgroups and clients.conf and users across multiple RADIUS servers. I am not using MySQL backend, but rather relaying requests for auth off to PAM which checks against a samba/NT-Domain, thus the user account existing locally on the server. With several servers it becomes a PIA and can lead to misconfiguration errors due to human data entry when you have to enter everything into each server. Does anyone want to share a script they have written to do this? you could use rsync, http://samba.anu.edu.au/rsync/ or subversion, http://subversion.tigris.org/ and actually keep your configurations all held on such a central repository. you can then actually update the configuration from any one of your servers and get them all to autometically get the latest version... be that with a frequent cronjob that checks for changes (and if there have been any, download them!) or from a forced update. this way you also have a centralised way of seeing what changed, when and who by. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CONFIDENTIAL NOTICE: This email including any attachments, contains confidential information belonging to the sender. It may also be privileged or otherwise protected by work product immunity or other legal rules. This information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance on the contents of this emailed information is strictly prohibited. If you have received this email in error, please immediately notify us by reply email of the error and then delete this email immediately. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Choice database
Hi, I am setting up my first radius server, and I have two databases. Someone could tell me if there is a file in freeradius where I can choice what database I will to use?Thanks a lot,Marilene - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[3]: limiting sessions
... DELETE FROM radius.usergroup WHERE GroupName = 'aroma' THEN... INSERT INTO radius.usergroup (UserName, CreationDate, GroupName) VALUES ('username0001', (CURRENT_DATE), 'aroma'); repeated for all 500 usernames... I think this should work, as all the usernames in use are stored in radcheck and I'm not touching that table at all. Worst case scenario, users continue to authenticate without a session limit and I go back to work... DOES THIS SOUND RIGHT? Andrew Well I think all the gurus let me swim alone on this one, and it all worked out... now we have our 30 minutes session limits working! Kevin... thanks for the clue! Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to handle EAP/LDAP or files with same server
I'm trying to finally rid myself of Cisco ACS with FR 1.1.3 and mostly having great success (performance is so much better!) but can't seem to figure out how to handle two different types of wireless authentication in separate non-overlapping ways. Case 1 is EAP/TLS where user ID (email address from cleint cert) is also looked up via LDAP. Case 2 is MAC authentication using the users file. I have both of these working with one issuse, MACs that are not in the users file are being sent to LDAP server adding unnecessary load. authorize { preprocess files ldap { notfound = return } eap } The solution I can think of is to only send user name's that are email addresses to ldap. Is this something that can be done with a proxy conf and realms? I'm having trouble understanding if/how those can influence the authorize section. Thanks, -Keith Keith Moores mailto:[EMAIL PROTECTED] Network Systems ITC-Communications and Systems Division University of Virginia, ITC-2015 Ivy RdPhone (434) 924-0621 Box 400324, Charlottesville, VA 22904-4324 Fax(434) 982-4715 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to handle EAP/LDAP or files with same server
Keith Moores [EMAIL PROTECTED] wrote: I have both of these working with one issuse, MACs that are not in the users file are being sent to LDAP server adding unnecessary load. One solution is to recognize MAC's, and NOT look them up in LDAP. Another is to recognize email addresses, and cause them to be looked up in LDAP. The solution I can think of is to only send user name's that are email addresses to ldap. Is this something that can be done with a proxy conf and realms? No. This should work: #-- users file DEFAULT User-Name =~ @, EAP-Message =* 0x00, Autz-Type := email #--- #--- radiusd.conf authorize { preprocess files Autz-Type email { ldap eap } } #--- Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Choice database
sql.conf on /usr/local/etc/raddb while you are at it, look at the other .conf file too. --- Marilene Lima [EMAIL PROTECTED] wrote: Hi, I am setting up my first radius server, and I have two databases. Someone could tell me if there is a file in freeradius where I can choice what database I will to use? Thanks a lot, Marilene - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Apu Islam ( E Pluribus Unum) Want to start your own business? Learn how on Yahoo! Small Business. http://smallbusiness.yahoo.com/r-index - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html