Error rlm_exec
I can't start freeradius 1.1.3_1 on FreeBSD6 radius.log: Error: radiusd.conf[226] Failed to link to module 'rlm_exec': /usr/local/lib/rlm_exec.a: invalid file format ??? Sergu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL connections and radius restart
Guido wrote: The exactly question is, how could I detect when freeradius loses connection with the SQL and how can I reconnect it automatically. The code in rlm_sql should do this, but apparently sometimes it doesn't. The solution is to track down the bugs in rlm_sql, and fix them. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS Port always 0
Tom Murphy wrote: I put in some debugging code there to spit out the ifname and devname. For some reason, they are both blank. I'm using openl2tpd and that may Hmm be messing up the reporting of the ppp interface, but, my question is this: At the time the RADIUS authentication is being run, is pppd supposed to know which ppp interface it's going to use? (i.e. ppp3) When I As far as I know, once LCP is up the unit is assigned, and ifname set. You'll definitely have to take this up with the openl2tp / ppp developers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with EAP/MD5 behind proxy
Hi, I run into this problem: Config: 802.1x client (Windows XP with 802.1x / md5 ) -- freeradius-proxy -- freeradius-server Same prg-version on both server (1.1.0) same radius.conf same users file if i try to authenticate against the proxy without realm, everything ist o.k. if i try this with a realm the second radius-server shows this error: rlm_eap: Identity does not match User-Name, setting from EAP Identity rlm_eap: Failed in handler any ideas? Hans -- Hans Bornemann Universitaet Dortmund - Hochschulrechenzentrum Tel. ++49 231 755 2132 Fax. ++49 231 755 2731 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with EAP/MD5 behind proxy
You're stripping the realm at the proxy; add nostrip to the realm stanza defined in realms.conf for the server you're proxying to. Josh. -Original Message- From: [EMAIL PROTECTED] us.org [mailto:[EMAIL PROTECTED] freeradius.org] On Behalf Of Hans Bornemann Sent: 07 December 2006 10:57 To: freeradius-users@lists.freeradius.org Subject: Problem with EAP/MD5 behind proxy Hi, I run into this problem: Config: 802.1x client (Windows XP with 802.1x / md5 ) -- freeradius-proxy -- freeradius-server Same prg-version on both server (1.1.0) same radius.conf same users file if i try to authenticate against the proxy without realm, everything ist o.k. if i try this with a realm the second radius-server shows this error: rlm_eap: Identity does not match User-Name, setting from EAP Identity rlm_eap: Failed in handler any ideas? Hans -- Hans Bornemann Universitaet Dortmund - Hochschulrechenzentrum Tel. ++49 231 755 2132 Fax. ++49 231 755 2731 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with EAP/MD5 behind proxy
Hi Josh, Thats what i want: stripping the realm at the proxy: proxy.conf: .. realm notebook { type= radius authhost= 111.222.111.111:1812 accthost= 111.222.111.111:1813 secret = blabla } users: testuserUser-password == testing Login with [EMAIL PROTECTED] -- Authentication failed on radius-server no. 2 Login with testuser -- Authentication o.k. on radius-server no. 1 Both radius-server has the same users-file. Hans On Thu, 2006-12-07 at 11:28 +, Josh Howlett wrote: You're stripping the realm at the proxy; add nostrip to the realm stanza defined in realms.conf for the server you're proxying to. Josh. -Original Message- From: [EMAIL PROTECTED] us.org [mailto:[EMAIL PROTECTED] freeradius.org] On Behalf Of Hans Bornemann Sent: 07 December 2006 10:57 To: freeradius-users@lists.freeradius.org Subject: Problem with EAP/MD5 behind proxy Hi, I run into this problem: Config: 802.1x client (Windows XP with 802.1x / md5 ) -- freeradius-proxy -- freeradius-server Same prg-version on both server (1.1.0) same radius.conf same users file if i try to authenticate against the proxy without realm, everything ist o.k. if i try this with a realm the second radius-server shows this error: rlm_eap: Identity does not match User-Name, setting from EAP Identity rlm_eap: Failed in handler any ideas? Hans -- Hans Bornemann Universitaet Dortmund - Hochschulrechenzentrum Tel. ++49 231 755 2132 Fax. ++49 231 755 2731 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Hans Bornemann Universitaet Dortmund - Hochschulrechenzentrum Tel. ++49 231 755 2132 Fax. ++49 231 755 2731 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP/MD5 behind proxy
Hi, testuser User-password == testing testuser User-Password == testing, Auth-Type := local alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication registers on MySQL
Hi Folks, I'm building a new freeradius server here, and I wanna make some implementations: 1. Log every authentication (sucessfull or not) to MySQL database; 2. but, log *only* the last 10 registers of authentication in database. The database connection is already working ok, and I'm retrieving the user information from radcheck table. Does anybody knows how to implement this? Thanks, Felipe Neuwald. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP/MD5 behind proxy
Hi Alan, Auth-Type := Local produced the following failure: users: steve Auth-Type := Local, User-Password = testing Debug output: Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 129.217.169.240:1645, id=134, length=149 User-Name = steve Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-0E-84-A0-28-0D Calling-Station-Id = 00-0B-5D-52-76-94 EAP-Message = 0x0202000a017374657665 Message-Authenticator = 0x21b9b903131d1f20dbfafc8035ad22ae Cisco-NAS-Port = FastEthernet0/13 NAS-Port = 50013 NAS-Port-Type = Ethernet NAS-IP-Address = 129.217.169.240 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 44 rlm_eap: EAP packet type response id 2 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 44 modcall[authorize]: module preprocess returns ok for request 44 modcall[authorize]: module chap returns noop for request 44 modcall[authorize]: module mschap returns noop for request 44 rlm_realm: No '@' in User-Name = steve, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 44 users: Matched entry steve at line 15 modcall[authorize]: module files returns ok for request 44 modcall: leaving group authorize (returns updated) for request 44 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [steve/no User-Password attribute] (from client gb5-sw5 port 50013 cli 00-0B-5D-52-76-94) Delaying request 44 for 1 seconds Finished request 44 Going to the next request Hans On Thu, 2006-12-07 at 12:32 +, [EMAIL PROTECTED] wrote: Hi, testuserUser-password == testing testuser User-Password == testing, Auth-Type := local alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Hans Bornemann Universitaet Dortmund - Hochschulrechenzentrum Tel. ++49 231 755 2132 Fax. ++49 231 755 2731 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP/MD5 behind proxy
Hi, Hi Alan, Auth-Type := Local produced the following failure: users: steve Auth-Type := Local, User-Password = testing do i have to query you on this one? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error rlm_exec
What messages did you have when you compiled it ? It seems that it could not build rlm_exec correctly. You could look at the config.log file within the build directory. Hernan Antolini [EMAIL PROTECTED] wrote on 12/07/2006 05:51:07 AM: I can't start freeradius 1.1.3_1 on FreeBSD6 radius.log: Error: radiusd.conf[226] Failed to link to module 'rlm_exec': /usr/local/lib/rlm_exec.a: invalid file format ??? Sergu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP/MD5 behind proxy
Sorry, only a typing error in the mail. the users file ist correct: steve Auth-Type := Local, User-Password == testing Hans Hi, Hi Alan, Auth-Type := Local produced the following failure: users: steve Auth-Type := Local, User-Password = testing do i have to query you on this one? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Choosing The best replication system.
Hello all, With the way work is and the pops are growing looks like i need to start centralising the database. At the moment i have 4 pops around the country and all are feeding from a satellite links, as the company is growing it is becoming very hard to maintain and we are looking to have a central MySQL DB in the UK which feeds the slave machines with the updated info. Each pop will have a live radius / mysql db feeding info back to a master machine in the UK and that would replicate the info down to the slaves on the other pops, this is the wishfull thinking i have :). I have read about Replication with MySQL (One-Way) and radrelay, then i noticed there is rlm_slq_log and radsqlrelay. One thing I must mention there is a lot of LAG on satellite connection looking at approx 650ms and because of BW cost we do rely on proxies which makes BW usage during the day very expensive, so i would like to be able to replicate maybe once a night lets say at midnight being less busy and cheaper. Any one out there with some ideas they can send my way.. Thanks Sarky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Global address pool
Hi folks. I'm looking into ways to implement a global address pool for multiple NASes and multiple RADIUS servers. I see that there's 2 possible ways of doing it with FreeRADIUS. 1) use rlm_ippool 2) use rlm_sqlippool I'm leaning towards rlm_sqlippool since it can be used to lease an address to a subscriber for a period of time so they get same ip address for the duration of the lease. Is there any other ways to implement NAS independent address pool and be able to lease same address to a subscriber ? Is anyone using sqlippool in production ? Thanx Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Global address pool
from what I've seen on the lists, sqlippool is full of bugs and holes. If you're planning to put it into a production environment, I'd strongly suggest booking a coder for a couple of days :-) Such is the nature of open-source I guess. There is no other truly feasable way of leasing IPs over multiple servers, other than Rsync'ing the pool files, or manually assigning different RADIUS servers for different pools - the second means that you are basically splitting your system into multiple independent groups - several NASes to one RADIUS server. However, both of these are hacks. I'm using rlm_ippool at the moment on a multi-nas basis, as I have had both two NASes getting IPs assigned to users from a single shared pool, and also one-pool-per-NAS. Both work fine. It's your choice really - you can always just use one-pool-per-NAS and manually assign each NAS to a RADIUS server responsible for maintaining the pool, while you're getting sqlippool up to production standards. Hope this helps, Jan On 07/12/06, Paul Khavkine [EMAIL PROTECTED] wrote: Hi folks. I'm looking into ways to implement a global address pool for multiple NASes and multiple RADIUS servers. I see that there's 2 possible ways of doing it with FreeRADIUS. 1) use rlm_ippool 2) use rlm_sqlippool I'm leaning towards rlm_sqlippool since it can be used to lease an address to a subscriber for a period of time so they get same ip address for the duration of the lease. Is there any other ways to implement NAS independent address pool and be able to lease same address to a subscriber ? Is anyone using sqlippool in production ? Thanx Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius Framed-IP-Address
Hi. I have freeradius working with eap/peap. The users can autenthicate them, but the Framed-IP-Address don't work, they can't get an ip address... but, if I connect an DHCP to the network, all work fine: authentication-get address- network access What can be wrong with the Framed-IP-Address??? This is an example of successfuly connection: ... Sending Access-Accept of id 44 to 192.168.100.185 port 1391 Framed-IP-Address := 192.168.100.211 Framed-IP-Netmask := 255.255.255.0 Framed-Protocol := PPP Service-Type := Framed-User Framed-Compression := Van-Jacobson-TCP-IP Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Type:0 := VLAN MS-MPPE-Recv-Key = 0x1714c6bb40821fd973e97f7bbfa7a05110206fb083138414a453fb4c08ab3b56 MS-MPPE-Send-Key = 0x6d7baa66c5cea48be8998e1bf9b04a46ae59905700e923b6f9a1462da7ce3b22 EAP-Message = 0x032c0004 Message-Authenticator = 0x User-Name = profesor01 Finished request 8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Framed-IP-Address
Daniel Romero wrote: Hi. I have freeradius working with eap/peap. The users can autenthicate them, but the Framed-IP-Address don't work, RADIUS cannot assign IP addresses when PEAP (or any 802.1x authentication) is used. they can't get an ip address... but, if I connect an DHCP to the network, all work fine: authentication-get address- network access Yes. That's the way it works. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Framed-IP-Address
Cool hint... thanks again my master xD So, IP address assign works only on ¿.? On 12/7/06, Alan DeKok [EMAIL PROTECTED] wrote: Daniel Romero wrote: Hi. I have freeradius working with eap/peap. The users can autenthicate them, but the Framed-IP-Address don't work, RADIUS cannot assign IP addresses when PEAP (or any 802.1x authentication) is used. they can't get an ip address... but, if I connect an DHCP to the network, all work fine: authentication-get address- network access Yes. That's the way it works. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Framed-IP-Address
Daniel Romero wrote: Cool hint... thanks again my master xD So, IP address assign works only on ¿.? PPP. Dial-up... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help
John Wan wrote: But I would like to use the Windows 2k3 AD to authenticate the username and password instead of using the user name and password from the file /etc/raddb/users or in mysql. See the Wiki my web site for instructions on using Active Directory. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Mulitple sql groups or User in Multiple groups
Hi again, I just want to clarify my previous email. What I want is to authenticate one user who is in multiple groups. I am assuming that the group binding is occurring as a result of the check items, but this is where it appears to fail. In fact two separate problems are occurring with point 5 from http://wiki.freeradius.org/Rlm_sql 1. Incorrect radgroupreply items are being returned, dependant on database row order. I have found that the first group returned from usergroup is used for the reply, even if that group doesn't match the check items in radgroupcheck. 2. The user cannot authenticate at all when trying the second or subsequent groups (as returned from usergroup). For clarity I am trying to achieve the SQL equivalent of the lines below, however as we are doing chap I need to have the usernames and passwords stored in the database (radcheck). DEFAULT Auth-Type := Local, NAS-IP-Address == 10.0.0.1 Exec-Program-Wait = /program for nas1 DEFAULT Auth-Type := Local, NAS-IP-Address == 10.0.0.2 Exec-Program-Wait = /program for nas2 Is what I am trying to do possible, or is the server code need attention? PS; What happened to the new website? Cheers, Stavros EscapeNet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mulitple sql groups or User in Multiple groups
Stavros Patiniotis wrote: For clarity I am trying to achieve the SQL equivalent of the lines below, however as we are doing chap I need to have the usernames and passwords stored in the database (radcheck). DEFAULT Auth-Type := Local, NAS-IP-Address == 10.0.0.1 Exec-Program-Wait = /program for nas1 You don't need to set Auth-Type. And if the per-NAS configuration is fairly static, you can use rlm_passwd to map NAS to Exec-Program-Wait. Users should still go into SQL, as their information will change a fair bit. PS; What happened to the new website? What do you mean by that? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html