major problem with ntlm_auth and winbindd pipe
Hi All, I use freeradius for peap-authentication and I have multiple samba/winbind services to authenticate against to different ADs. In my setup I use a perlscript to start the right winbindd for a request. Now I have the problem that the winbind-pipe sometime dies. Has anyone experiences with dieing winbind-pipes in a freeradius peap environment? Can anyone help me? Lukas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Ignoring request from unknown client IP:1645
I'm very sorry Alan for replying to your own email address and not on the list. Here it is Il giorno lun, 12/02/2007 alle 13.35 +0100, Alan DeKok ha scritto: Davide Molteni wrote: On the cisco I configured: radius-server host ipmyradius auth-port 1812 acct-port 1813 and the other aaa commands needed If I look at the radius.log file I always see Error: Ignoring request from unknown client ipmycisco:1645 Did you configure the server to have that IP in clients.conf? Sure! With the IP and the same shared key as the cisco NAS client The Cisco router keeps always trying to connect to radius using port 1645 even if I specified to use 1812... That's a bug in the Cisco router. Yea but is this a problem for freeradius to properly work? I need to set freeradius to listen on 1645 in radiusd.conf? Or I need to change it in /etc/services ? I have tried to configure radius server to listen on port 1645 but is the same. Listening on port 1645 won't make the server believe that ipmycisco is a known client. Well I know this very well in fact, the client that is ignored is properly configured in clients.conf The microsoft radius integration(server 2003) worked at first try with this cisco config... Really. Did you configure the Cisco box as a client in the MS RADIUS server? Yes, sure I had to put in the ms radius the cisco box as a client otherwise it wouldn't work... Please notice that I would like to use this radius for simple PAP ONLY. Maybe I'm doing something wrong with users file? Please tell me the right way to configure a single test user for PAP only. I would like to disable unused modules (ldap,mysql...) It couldn't be a problem of authentication method? I forgot an important element to tell anyone wants to help. I tried to change the shared key on one side (radius) and noticed that log file continue to write again the same error Ignoring request from unknown client IP:1645 So the issue it's due to the fact that cisco client don't exchange shared key with radius... This can halp to focus better the problem? thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho is not working
Hello, More info about my problem... In the radius.log file I have a lot of entries of the form: Tue Feb 13 12:12:13 2007 : Error: rlm_radutmp: Logout for NAS ap port 1627, but no Login record Tue Feb 13 12:12:35 2007 : Error: rlm_radutmp: Logout for NAS ap port 3100, but no Login record Tue Feb 13 12:12:46 2007 : Error: rlm_radutmp: Logout for NAS ap port 8726, but no Login record -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Ignoring request from unknown client IP:1645
Hi, I'm very sorry Alan for replying to your own email address and not on the list. Here it is your errors are symptomatic of a trivial but basic configuration munge. can you email your clients.conf and radiusd.conf files alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Ignoring request from unknown client IP:1645
Hi,
client localhost {
secret = 181180
shortname = localhost
nastype = other
}
client 192.168.0.1 {
secret = 181180
shortname = testcisco
nastype = cisco
}
those look fine. have you actually tried a 'radtest' on the local server
to check all is well? eg put the following into your 'users' file
testuser01 Auth-Type:=Local, User-Password==ehwtehi
restart radiusd process then do
radtest testuser01 ehwtehi localhost 1812 181180
this is pure and simple PAP authentication at its best.
## radiusd.conf -- FreeRADIUS server configuration file.
which version of freeradius? this config is a bit crusty for a 1.x
install
change the following parts
#bind_address = *
#port = 0
listen {
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname(radius.example.com)
# wildcard(*)
ipaddr = *
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means use /etc/services for the proper port
port = 1645
# Type of packets to listen for.
# Allowed values are:
# authlisten for authentication packets
# acctlisten for accounting packets
#
type = auth
}
this uses the 1.x listen directive. i've also changed the port to 1645 - as you
say your
cisco is expecting this port!
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
are you proxying? you didnt say so. you should set this to no(!)
# Supports multiple encryption schemes
# clear: Clear text
# crypt: Unix crypt
#md5: MD5 ecnryption
# sha1: SHA1 encryption.
# DEFAULT: crypt
pap {
encryption_scheme = crypt
}
to do the radtest I mentioned above, this value needs to be 'clear'
you a crypted version of that password if you wish to use 'crypt'
as for all the rest. if you arent using it. comment it out.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Ignoring request from unknown client IP:1645
Il giorno mar, 13/02/2007 alle 11.59 +, [EMAIL PROTECTED] ha
scritto:
Hi,
client localhost {
secret = 181180
shortname = localhost
nastype = other
}
client 192.168.0.1 {
secret = 181180
shortname = testcisco
nastype = cisco
}
those look fine. have you actually tried a 'radtest' on the local server
to check all is well? eg put the following into your 'users' file
testuser01 Auth-Type:=Local, User-Password==ehwtehi
restart radiusd process then do
radtest testuser01 ehwtehi localhost 1812 181180
Ok just after this test i have
after many tries Re-Sending Access-Request ...
radclient: no response from server for ID 250
This without any change to the radiusd.conf Now I will make all the
modifications you suggested and send you the results.
I'm not proxying.
The freeradius version is 1.0.1
this is pure and simple PAP authentication at its best.
## radiusd.conf -- FreeRADIUS server configuration file.
which version of freeradius? this config is a bit crusty for a 1.x
install
change the following parts
#bind_address = *
#port = 0
listen {
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname(radius.example.com)
# wildcard(*)
ipaddr = *
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means use /etc/services for the proper port
port = 1645
# Type of packets to listen for.
# Allowed values are:
# authlisten for authentication packets
# acctlisten for accounting packets
#
type = auth
}
this uses the 1.x listen directive. i've also changed the port to 1645 - as
you say your
cisco is expecting this port!
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
are you proxying? you didnt say so. you should set this to no(!)
# Supports multiple encryption schemes
# clear: Clear text
# crypt: Unix crypt
#md5: MD5 ecnryption
# sha1: SHA1 encryption.
# DEFAULT: crypt
pap {
encryption_scheme = crypt
}
to do the radtest I mentioned above, this value needs to be 'clear'
you a crypted version of that password if you wish to use 'crypt'
as for all the rest. if you arent using it. comment it out.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Ignoring request from unknown client IP:1645
I had the problem before and it was because in the clients.conf file I had written clients (with an s) and not client. Message: 1 Date: Tue, 13 Feb 2007 12:13:08 +0100 From: Davide Molteni [EMAIL PROTECTED] Subject: Re: Error: Ignoring request from unknown client IP:1645 To: freeradius list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain I'm very sorry Alan for replying to your own email address and not on the list. Here it is Il giorno lun, 12/02/2007 alle 13.35 +0100, Alan DeKok ha scritto: Davide Molteni wrote: On the cisco I configured: radius-server host ipmyradius auth-port 1812 acct-port 1813 and the other aaa commands needed If I look at the radius.log file I always see Error: Ignoring request from unknown client ipmycisco:1645 Did you configure the server to have that IP in clients.conf? Sure! With the IP and the same shared key as the cisco NAS client The Cisco router keeps always trying to connect to radius using port 1645 even if I specified to use 1812... That's a bug in the Cisco router. Yea but is this a problem for freeradius to properly work? I need to set freeradius to listen on 1645 in radiusd.conf? Or I need to change it in /etc/services ? I have tried to configure radius server to listen on port 1645 but is the same. Listening on port 1645 won't make the server believe that ipmycisco is a known client. Well I know this very well in fact, the client that is ignored is properly configured in clients.conf The microsoft radius integration(server 2003) worked at first try with this cisco config... Really. Did you configure the Cisco box as a client in the MS RADIUS server? Yes, sure I had to put in the ms radius the cisco box as a client otherwise it wouldn't work... Please notice that I would like to use this radius for simple PAP ONLY. Maybe I'm doing something wrong with users file? Please tell me the right way to configure a single test user for PAP only. I would like to disable unused modules (ldap,mysql...) It couldn't be a problem of authentication method? I forgot an important element to tell anyone wants to help. I tried to change the shared key on one side (radius) and noticed that log file continue to write again the same error Ignoring request from unknown client IP:1645 So the issue it's due to the fact that cisco client don't exchange shared key with radius... This can halp to focus better the problem? thanks in advance -- Walt Reynolds Principle Systems Security Development Engineer Information Technology Central Services University of Michigan (734) 615-9438 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Ignoring request from unknown client IP:1645
Hi, Ok just after this test i have after many tries Re-Sending Access-Request ... radclient: no response from server for ID 250 sounds like you have a firewall blocking the request or that your server is not active! in one window, run 'radiusd -X' at the same time as the 'radtest' this is the best debug method for this level of issue. then, run e.g. on Linux box iptables -L -n if you have firewall. add UDP ports 1812/1813 slsn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-PEAP/MS-ChapV2 password storing options
Thanks for the link! BTW, I have nothing against SecureW2, but if we don't have to install an extra piece of software on 10,000 computers on campus, I'd like to avoid it! Matt -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: February 13, 2007 2:57 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: EAP-PEAP/MS-ChapV2 password storing options Matt Ashfield wrote: We're trying to implement username/password authentication and so far are using EAP-PAP (with secureW2 client) because our passwords are stored in LDAP in a 1-way encrypted hash. What's EAP-PAP? We're hoping to get away from this secureW2 implementation and would like to use Windows built-in authentication, which seems to be EAP-PEAP with MS-ChapV2 authentication. What's wrong with SecureW2? In order to get EAP-PEAP/MS-ChapV2 to work with FreeRadius, what are my options for storing the password in LDAP? Does it have to be clear-text? http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wep encryption
Hello. I have a FreeRadius 1.1.4 server setup on Fedora Core 6. Right Now I have it set up to filter Mac addresses and to authenticate against Active Directory. I am looking to add encryption, but unfortunately many of my wireless devices are older 802.11b devices that can't handle wpa. I am also restricted in how much I am allowed to put the end user through. Is there a way to cenralize a wep key in the server, as I have 26 access points that I would hope not to have to go into individually to add encryption (I already need to set up 70+ devices). Because I can't put any truly strong protection on the network, and I can't take the wlan off of the main network, I am trying to add as many layers of lesser protection as I can. Does anyone have any other ideas for me? Thanks Hillary Marek Hazen Paper Co. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wep encryption
Hi, Active Directory. I am looking to add encryption, but unfortunately many of my wireless devices are older 802.11b devices that can't handle wpa. I am also restricted in how much I am allowed to put the end user through. Is there a way to cenralize a wep key in the server, as I have 26 access points that I would hope not to have to go into individually to add encryption (I already need to set up 70+ devices). Because I can't put any truly strong protection on the network, and I can't take the wlan off of the main network, I am trying to add as many layers of lesser protection as I can. Does anyone have any other ideas for me? Thanks in a word, no. FreeRADIUS can help in WPA because it does the EAP methods. with WEP you are really stuck with configuring single APs - or, in a centralised system , configuring WEP on the central controller. WEP is pretty pointless too. If I were put into that environment I would push for Open wireless that requires authentication before you can get anyway - ie use VPN technology. clients install eg OpenVPN and thats configured to talk to OpenVPN server after they've authenticated. only when they have a VPN tunnel do they get network access. 2048 bit SSL keys are somewhat better than any form of WEP. you also dont need to go around shouting out the WEP key to all and sundry - only valid users can authenticate. you could even use FreeRADIUS as the OpenVPN authenticator!! :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems regarding MAC address authentication
On 2/13/07, Alan DeKok [EMAIL PROTECTED] wrote: radiusCallingStationId: 00-90-4B-ED-AB-52 Please read the documentation and the debug output. This entry in LDAP says send the Calling-Station-Id attribute in the Access-Accept. It is documented as doing that, and the debug log shows it's doing that. how can a field alone say that it is a reply item or a check item? my ldap.attrmap says checkItem Calling-Station-Id radiusCallingStationId You can't just list things in configurations, and magically expect it to do what you want. yeah, am a newbie for freeradius server but am trying my best :) If you put the MAC into another field in LDAP, you can query the LDAP server for that field, and see if it matches the field in the packet. how to implement the above?(this is the question that eludes me) PS: i would really like to know why filtering the ldap database using uid works and fails while using radiusCallingStationId cheers for helping out :) -- Registerd Linux User #426561 - Shobhit Jindal B.Tech. Part-III, Department Of Electronics Engineering, ITBHU INDIA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems regarding MAC address authentication
Shobhit Jindal wrote: how to implement the above?(this is the question that eludes me) PS: i would really like to know why filtering the ldap database using uid works and fails while using radiusCallingStationId See your LDAP documentation. Run LDAP queries by hand until you get the result you want, and then configure the server to use those queries. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Ignoring request from unknown client IP:1645
Davide Molteni wrote: Error: Ignoring request from unknown client ipmycisco:1645 Did you configure the server to have that IP in clients.conf? Sure! With the IP and the same shared key as the cisco NAS client shrug The server isn't finding it. Are you sure the server is reading the clients.conf file you're editing? Please notice that I would like to use this radius for simple PAP ONLY. Maybe I'm doing something wrong with users file? No. Please tell me the right way to configure a single test user for PAP only. I would like to disable unused modules (ldap,mysql...) It's in the FAQ. It couldn't be a problem of authentication method? No. I forgot an important element to tell anyone wants to help. I tried to change the shared key on one side (radius) and noticed that log file continue to write again the same error Ignoring request from unknown client IP:1645 So the issue it's due to the fact that cisco client don't exchange shared key with radius... No. They don't exchange shared keys. You MUST list the Cisco's IP in clients.conf. It looks like you're not doing that, or you're doing it wrong, or you're editing a file the server isn't reading. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Ignoring request from unknown client IP:1645
Ok you got it! It was a simple user permissions problem on the file clients.conf! Shame on me... The daemon tried to read the old confguration files clients and naslist just because user that runs radiusd can't access the actual clients.conf Now everything is working fine, I have to review some concepts on cisco AAA because it won't authorize my users but just authenticate it but this issue it's surely on cisco side. Thanks a lot for the quick help Davide Il giorno mar, 13/02/2007 alle 15.26 +0100, Alan DeKok ha scritto: Davide Molteni wrote: Error: Ignoring request from unknown client ipmycisco:1645 Did you configure the server to have that IP in clients.conf? Sure! With the IP and the same shared key as the cisco NAS client shrug The server isn't finding it. Are you sure the server is reading the clients.conf file you're editing? Please notice that I would like to use this radius for simple PAP ONLY. Maybe I'm doing something wrong with users file? No. Please tell me the right way to configure a single test user for PAP only. I would like to disable unused modules (ldap,mysql...) It's in the FAQ. It couldn't be a problem of authentication method? No. I forgot an important element to tell anyone wants to help. I tried to change the shared key on one side (radius) and noticed that log file continue to write again the same error Ignoring request from unknown client IP:1645 So the issue it's due to the fact that cisco client don't exchange shared key with radius... No. They don't exchange shared keys. You MUST list the Cisco's IP in clients.conf. It looks like you're not doing that, or you're doing it wrong, or you're editing a file the server isn't reading. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.1.4 stops responding to requests
Just a heads up: In our production environment here at Brooklyn Law School, 1.1.4 stops responding to radius requests after a few hours. We have used freeradius for some time (and love it) to authenticate wireless users to our ldap servers. We use it with two different wireless systems, trapeeze and colubris, which each do 802.1x authentication to freeradius servers using PEAP and mschapv2. We run it on three different servers. When vista came along, we had to upgrade from 1.1.4 to 1.0.5. We run Fedora Core 5 and Fedora Core 6 on these servers. Because there is no 1.1.4 rpm out yet for Core 5 or Core 6, we built freeradius from source. Since we are in a production environment, we were careful to use non-overlapping directory structures when we compiled and installed 1.1.4 so that if there was a problem, we could quickly go back to the rpm. 1.1.4 will run for a few hours and then either stop responding to requests or die. There is no seg fault warning in any log file. If I restart radius, it then begins answering again. Since it is a production environment in which 300-500 users are connected at any given time, we were unable to simply turn on debugging and look for problems. Once we realized the problem we had to quickly revert to 1.0.5 for now and make our relatively few Vista users for a little longer. I am going to try running it in debug mode over a weekend in a particular subset of the school's wireless network where not many users would be affected by a crash and see if I can collect any more information. I will do it on a system that never had any earlier version of freeradius installed on it, just to be safe. In the meantime, any advice would be appreciated. Thanks, Phil Allred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Re: nas table in rlm_sql module - usage
SQL refuses to start when I comment out the INCLUDE line with clients.conf. Is there anything else I have to change so that it knows to look to SQL for a table of acceptable NAS's and to get it to run other than commenting out this INCLUDE statement? tzieleniewski wrote: Yes I checked it. You may comment it out from the radiusd.conf file. Is there anything I have to config so it doesn't touch the config files? How do I move the server onto pure SQL for the NAS list? Can the clients.conf file be totally empty? tzieleniewski wrote: What I managed to figure out is that nasname is a source for a name to ip resolving. So probably the nasname has to be different (its ip resolution) from the one specified in the clients.conf file. Well those of course are only my suggestions:) Cheers -tomasz -- View this message in context: http://www.nabble.com/nas-table-in-rlm_sql-module---usage-tf3201294.html#a8894555 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/nas-table-in-rlm_sql-module---usage-tf3201294.html#a8949012 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Re: nas table in rlm_sql module - usage
Hi,
SQL refuses to start when I comment out the INCLUDE line with clients.conf.
Is there anything else I have to change so that it knows to look to SQL for
a table of acceptable NAS's and to get it to run other than commenting out
this INCLUDE statement?
last time I looked, you still had to have a stub clients.conf - even with just
a fake client in it.
to USE the NAS SQL table, simply look at the bottom few lines of sql.conf -
its self documented!
# Set to 'yes' to read radius clients from the database ('nas' table)
readclients = yes
ensure that the other lines in sql.conf are okay eg
nas_table = nas
# NAS Query
nas_query = SELECT id, nasname, shortname, type, secret FROM
${nas_table}
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.4 stops responding to requests
Hi, 1.1.4 will run for a few hours and then either stop responding to requests or die. There is no seg fault warning in any log file. If I restart radius, it then begins answering again. Since it is a production environment in which 300-500 users are connected at any given time, we were unable to simply turn on debugging and look for problems. Once we realized the problem we had to quickly revert to 1.0.5 for now and make our relatively few Vista users for a little longer. Interesting... I've been seeing exactly this happening on our own system. In our case, I could track it down to the fact that it stopped responding shortly after accounting packets came in. Turning off accounting (already on NAS level) deterministically solved the problem for me, so I suspect the problem to be somewhere near there. I never followed this trace, because accounting is optional at our site (free wireless) and it was our prod environment, I didn't want to mess around without a good reason. So accounting is just off at the moment. I am going to try running it in debug mode over a weekend in a particular subset of the school's wireless network where not many users would be affected by a crash and see if I can collect any more information. I will do it on a system that never had any earlier version of freeradius installed on it, just to be safe. In the meantime, any advice would be appreciated. Is it an option to not do accounting? Or maybe queue the acct in files rather than a proper backend (for me, the issue happened in combination with mysql). I never tried if the hangs occur also when logging to a file. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.4 stops responding to requests
Hello, Same with me, but acct is necessary. The solution was radsqlrelay. Regards, Guilherme On 2/13/07, Stefan Winter [EMAIL PROTECTED] wrote: Hi, 1.1.4 will run for a few hours and then either stop responding to requests or die. There is no seg fault warning in any log file. If I restart radius, it then begins answering again. Since it is a production environment in which 300-500 users are connected at any given time, we were unable to simply turn on debugging and look for problems. Once we realized the problem we had to quickly revert to 1.0.5 for now and make our relatively few Vista users for a little longer. Interesting... I've been seeing exactly this happening on our own system. In our case, I could track it down to the fact that it stopped responding shortly after accounting packets came in. Turning off accounting (already on NAS level) deterministically solved the problem for me, so I suspect the problem to be somewhere near there. I never followed this trace, because accounting is optional at our site (free wireless) and it was our prod environment, I didn't want to mess around without a good reason. So accounting is just off at the moment. I am going to try running it in debug mode over a weekend in a particular subset of the school's wireless network where not many users would be affected by a crash and see if I can collect any more information. I will do it on a system that never had any earlier version of freeradius installed on it, just to be safe. In the meantime, any advice would be appreciated. Is it an option to not do accounting? Or maybe queue the acct in files rather than a proper backend (for me, the issue happened in combination with mysql). I never tried if the hangs occur also when logging to a file. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mysql - radcheck, radreply, radgroupcheck and radgroupreply
Anyone can help me with this??? Hi, I'm using Freeradius + Mysql to do the MAC Address authentication of the clients that connection on my APs (Mikrotik machines). In the mysql I've the follow: Table usergroup: UserName = MAC address GroupName = NAS-Port-ID - (the name of the AP where the client will be connected - ex. MyAP1) Table radgroupcheck: GroupName = NAS-Port-ID - (the name of the AP where the client will be connected - ex. MyAP1) Then I've four lines for each GroupName with the follow: Attribute: Auth-Type // op: := // Value: Local Attribute: NAS-IP-Address // op: == // Value: IP of the AP Attribute: NAS-Port-Identify // op: == // Value: Name of the AP - Ex: MyAP1 On the table radcheck I don't have anything. This table is empty. In the table radreply I've one record: UserName: MAC Address of the client Attribute: Mikrotik-Rate-Limite op: = Value: 64000/128000 The problem is: If the Freeradius don't find the UserName on the table radcheck it doesn't return the attributes that are on the table radreply, just the records of the table radgroupreply are returned. I need to return the reply different for each client because this parameter is the speed of upload and download and this values are different for each client. My questio is: Is it possible that the Freeradius return the values of the table radreply if I don't have any value on the radcheck? (The authentication was made in the radgroupcheck table) Thanks in advanced, Fabrício F.: Kammer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_postgresql , accounting and Framed-IP-Address
hello.. Thanks for your answer!...
then, how could I put the IP there?
Is the post-auth hook the right place?
2007/2/12, Phil Mayers [EMAIL PROTECTED]:
Francisco Gimeno wrote:
The %{reply:Framed-IP-Address} or %{Framed-IP-Address} isn't xlated at
all... SQL module is executed after sqlippool, so, that variable should
be available.
Nop. Accounting replies contain NO attributes, therefore reply:Anything
is invalid/empty.
For accounting queries to log the IP address, your NAS must send the
Framed-IP-Address attribute in the accounting request. If it doesn't (as
it must not be) you can't log it.
Consult the documentation for your NAS.
You've undoubtedly taken that reply:Framed-IP-Address from the
post-auth query where it is valid.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.4 stops responding to requests
Interesting. I don't think it is needed here. I'll check with our wireless vendor, then give it a shot. Thanks very much! Phil Guilherme Franco wrote: Hello, Same with me, but acct is necessary. The solution was radsqlrelay. Regards, Guilherme On 2/13/07, *Stefan Winter* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi, 1.1.4 will run for a few hours and then either stop responding to requests or die. There is no seg fault warning in any log file. If I restart radius, it then begins answering again. Since it is a production environment in which 300-500 users are connected at any given time, we were unable to simply turn on debugging and look for problems. Once we realized the problem we had to quickly revert to 1.0.5 for now and make our relatively few Vista users for a little longer. Interesting... I've been seeing exactly this happening on our own system. In our case, I could track it down to the fact that it stopped responding shortly after accounting packets came in. Turning off accounting (already on NAS level) deterministically solved the problem for me, so I suspect the problem to be somewhere near there. I never followed this trace, because accounting is optional at our site (free wireless) and it was our prod environment, I didn't want to mess around without a good reason. So accounting is just off at the moment. I am going to try running it in debug mode over a weekend in a particular subset of the school's wireless network where not many users would be affected by a crash and see if I can collect any more information. I will do it on a system that never had any earlier version of freeradius installed on it, just to be safe. In the meantime, any advice would be appreciated. Is it an option to not do accounting? Or maybe queue the acct in files rather than a proper backend (for me, the issue happened in combination with mysql). I never tried if the hangs occur also when logging to a file. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN assigment and Alcatel Omniswitch 7800
Hello Marcel I suggest you look into chapter 22 of your 7700/7800/8800 Network Configuration Guide, where dot1x is explained. Somewhere in the first few pages of this chapter is an explanation of assigning users to VLANs based on RADIUS authentication. Authenticated VLAN appears to be something completely different (although it uses RADIUS and assigns VLANs to users, the methods are different, probably more like a captive portal). It looks like you'll need to provide the VLAN number in a VSA (see chapter 20). I did read it, that's why i began to try this setup at the first place, but i've to confess my ignorance about the VSA topic, didn't understand it completely until recently, thanks a lot for your help. Because I work at Alcatel-Lucent (as you can probably see from my e-mail address), a big fat disclaimer is in place: This mail does not represent Alcatel-Lucent in any way. Everything I have written in this mail is either my opinion or information I interpreted from publically available documents (I found the manuals through Google on a server that, judging from its name, is open for public access). I don't work in a department that has anything to do with Omniswitches and have not used them myself. Because of that, this information may be inaccurate or even plain wrong, Alcatel-Lucent is not responsible for the accuracy of this information. I'm just trying to be helpful here based on what I know. Indeed you were right, and i was wrong, at least according to what i was told from support at first consult. For your tranquillity and my happiness :) it happens that no licenses were needed to support this task, i'll let you know what is the final setup and solution. Thanks for your help again. Best regards Oxiel Chiacchiera con i tuoi amici in tempo reale! http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.4 stops responding to requests
The fix for this is in the CVS HEAD and probably should be backported to the latest release branch. There was a race condition in the code where the server could clean up an accounting request before a thread actually got to it to process it. --Mike On Feb 13, 2007, at 1:36 PM, Phil Allred wrote: Interesting. I don't think it is needed here. I'll check with our wireless vendor, then give it a shot. Thanks very much! Phil Guilherme Franco wrote: Hello, Same with me, but acct is necessary. The solution was radsqlrelay. Regards, Guilherme On 2/13/07, *Stefan Winter* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi, 1.1.4 will run for a few hours and then either stop responding to requests or die. There is no seg fault warning in any log file. If I restart radius, it then begins answering again. Since it is a production environment in which 300-500 users are connected at any given time, we were unable to simply turn on debugging and look for problems. Once we realized the problem we had to quickly revert to 1.0.5 for now and make our relatively few Vista users for a little longer. Interesting... I've been seeing exactly this happening on our own system. In our case, I could track it down to the fact that it stopped responding shortly after accounting packets came in. Turning off accounting (already on NAS level) deterministically solved the problem for me, so I suspect the problem to be somewhere near there. I never followed this trace, because accounting is optional at our site (free wireless) and it was our prod environment, I didn't want to mess around without a good reason. So accounting is just off at the moment. I am going to try running it in debug mode over a weekend in a particular subset of the school's wireless network where not many users would be affected by a crash and see if I can collect any more information. I will do it on a system that never had any earlier version of freeradius installed on it, just to be safe. In the meantime, any advice would be appreciated. Is it an option to not do accounting? Or maybe queue the acct in files rather than a proper backend (for me, the issue happened in combination with mysql). I never tried if the hangs occur also when logging to a file. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html http://www.freeradius.org/list/users.html - --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN assigment and Alcatel Omniswitch 7800
Hello Santa. El Domingo, 11 de Febrero de 2007 22:57, Santa Yeh escribió: You can not use the standard attributes : Tunnel-Type:0 += VLAN Tunnel-Medium-Type:0 += IEEE-802 Tunnel-Private-Group-Id:0 += 3 The VSA for Alcatel switches is Alcatel-Auth-Group, that is why you should check the user manual. I've added the Alcatel-Auth-Group attribute to dictionary.alcatel like these: ATTRIBUTE Alcatel-Auth-Group 134 integer and modified users file like these: Tunnel-Type += 13, Tunnel-Medium-Type += 6, Alcatel-Auth-Group += 3 now i see the Access-Accept part of the log which is sent it with the attribute, but nothing happens. Sending Access-Accept of id 181 to 192.168.10.20 port 1074 Tunnel-Type:0 += VLAN Tunnel-Medium-Type:0 += IEEE-802 Alcatel-Auth-Group += 3 MS-MPPE-Recv-Key = 0xc90404d5af28944ae97417b2336cf56e204fe5afab5c7c7e7e50045ec24473b3 MS-MPPE-Send-Key = 0xc990b966cc4bed66c7be062e54795ddb253efe28c8426ecbb298d302c64b9359 EAP-Message = 0x030d0004 Message-Authenticator = 0x User-Name = MYDOMAIN\\jose Finished request 8 Could you please pass me the relevant parts of your switch setup ? vlan port mobile vlan authentication aaa Is it necessary to defina vlan rules on the switch in order to move the mobile port to the vlan designed with Alcatel-Auth-Group ? Thanks and best regards Oxiel Chiacchiera con i tuoi amici in tempo reale! http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.4 stops responding to requests
Hi, The fix for this is in the CVS HEAD and probably should be backported to the latest release branch. There was a race condition in the code where the server could clean up an accounting request before a thread actually got to it to process it. yes, that definitely deserves a backport IMO. Up to now, accounting is a dangerous endeavour in the 1.1 branch :-( Greetings, Stefan Winter -- Stefan WINTER RESTENA Foundation - Réseau Téléinformatique de l'Education Nationale et de la Recherche RD Engineer 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgps1ul7FXT4h.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
