freeRADIUS
Hi, I would like to know how to send the accounting messages from the freeradius client to the server. It would be helpful, if you give me the links on the same. Thanks Senthil Nathan R On 2/22/07, Senthil Nathan [EMAIL PROTECTED] wrote: Hi, I need few info about freeradiusclient. 1. I installed it and when starting the application, 'freeradiusclient', it was asking for the config files location. Please let me know how to start the 'freeradiusclient'. 2. On starting it, how to send the accounting messages from the client. fyi, I have already installed the freeradius server 1.1.4 and could start it. Please give me more insight on these issues. Thanks Senthil Nathan R - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication allowed if User Object does not exist.
Eric Belcher wrote: Each student is issued with a certificate that is used to authenticate him to the radius server. The certificate name is his MAC address. A corresponding NDS account exists for this MAC address. I presume that's with EAP-TLS? However, I have found a flaw I can't seem to find an answer for. I'm hoping someone can help. If the NDS account does not exist, as long as the SSL certificate is not revoked and is in the Freeradius database, the student will gain access. That's how EAP-TLS works. The certificate is valid, not revoked, so the user *may* be allowed in. The radius server, does a lookup, can't find the account and just continues on. I need the radius server to reject access is an missing attribute causing a rejection if the account can't be found. doc/configurable_failover. If the ldap module returns notfound, you can reject the user. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy question
Jory Privett wrote: I have a new FreeRadius server that I set up and everything is working great, well all most. What I want to do is have it check a local file and if the user is not there then to proxy the request to another server. I can make it check the local file or proxy the request successfully, I can't seem to get it to do both. You can set Proxy-To-Realm manually. bob Proxy-To-Realm := foo ... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SOLVED] Freeradius Authentication to Actice Directory
Thats it! If i user uppercase username for login the client it works. Can i set uppercase as default in the radiusd.conf? I found only to make it lowercase. Thank you very much. A.L.M.Buxey wrote: hi, from a 2 second inspection on the error I can see one major difference - you are logging in with lower case, not upper case. the ntlm_auth is failing because the challenge-response for this user is not working. i suggest you check out the 'case sensitive' parts of your radiusd config! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Freeradius-Authentication-to-Actice-Directory-tf3273167.html#a9115547 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radeapclient error !
Amin BEN ABDALLAH wrote: *I used radeapclient to test authentification with EAP-MD5* ... *I got an error in radeapclient :* *** glibc detected *** radeapclient: munmap_chunk(): invalid pointer: It's a bug. 1.1.5 will contain the fix. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dial Up Admin Interface
We are looking at installing the Dial Up Admin Interface for administration purposes. Research suggests that the place to in all the relevant information is at /usr/share/doc/freeradius-dialupadmin/HOWTO.gz We have installed V1.1.4 and the HOWTO.gz cannot be found here. Could someone please point me in the right direction. Or is there a better admin interface to use? Any recommendations greatly appreciated. Peter. -- What system you have? And How you install that? Abel.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting SQL Profiles
Alan, it is a big help. This what happens when users are not reading the documentation fully :(. Thxs a loot, I will try it out. Cheers, Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SOLVED] Freeradius Authentication to Actice Directory
I found the Problem: Some account names in the Active Directory were in uppercase, now i changed all to lowercase. And now it works with the lowercase login. sanni wrote: Thats it! If i user uppercase username for login the client it works. Can i set uppercase as default in the radiusd.conf? I found only to make it lowercase. Thank you very much. A.L.M.Buxey wrote: hi, from a 2 second inspection on the error I can see one major difference - you are logging in with lower case, not upper case. the ntlm_auth is failing because the challenge-response for this user is not working. i suggest you check out the 'case sensitive' parts of your radiusd config! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Freeradius-Authentication-to-Actice-Directory-tf3273167.html#a9117645 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dial Up Admin Interface
Have a look at the dialup_admin package which is available on freshmeat.net ! I believe the direct link to the project is - http://freshmeat.net/projects/dialup_admin/ ! Not sure if that is what you are looking for though. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Set Pool-Name based on Framed-Pool
Hi list! I'm having problems setting Freeradius internal Pool-Name attribute based on Framed-Pool attribute (in proxy auth reply). users file: DEFAULT Framed-Pool == tech, Pool-Name := tech_ippool Fall-Through = 1 I can see the Framed-Pool attribute in proxy auth reply (with correct value), but when freeradius is processing users file, the above line does not match.. What's wrong with that line? Thanks! -- Pasi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius+Mysql - radreply
Can anyone help me with this doubt??? Regards, Fabrício Fabrício F. Kammer escreveu: Hi all, I've a Freeradius working fine with mysql. I put my users on table usergroup and I put the attributes to verification of the authentication on the table radgroupcheck. (Because I'm making the MAC authentication and the password is the same for all clients). Now I need that the Freeradius send an attribute for the clients, but this attribute is different for each client, than I need to use the radreply and not the radgroupreply to send the attribute. My doubt is: Is it possible to Freeradius send an answer of the radreply without I use the table radcheck? This is very important for me and I need of a solution. If this is impossible I'll to change the authentication for of my clients. Can anyone help me with this??? Thanks in advance, Fabrício - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
normal behaviour when Framed-Protocol = PPP is in the Auth request?
Hi list, I am very new in FreeRadius, and there is something which is a bit strange: 0] Current config I use FreeRadius 1.1.4, out of the box. I define my authorized clients in clients.conf. I define a user in the users file following the examples given in the same file: Mickey Auth-Type :=Local, User-Password == mouse Reply-Message = Hello mickey mouse -- 1] I send the following authentication packet (using radclient): Service-Type = Framed-User User-Name = Mickey User-Password = mouse NAS-IP-Address = 172.24.2.103 NAS-Port = 0 -- I get accepted -- 2] I send the following authentication packet (same + Framed-Protocol = PPP): Service-Type = Framed-User Framed-Protocol = PPP User-Name = Mickey User-Password = mouse NAS-IP-Address = 172.24.2.103 NAS-Port = 0 -- I get rejected -- 3] I create a Unix user Mickey with password mouse on the FreeRadius host, and I send again: Service-Type = Framed-User Framed-Protocol = PPP User-Name = Mickey User-Password = mouse NAS-IP-Address = 172.24.2.103 NAS-Port = 0 -- I get accepted -- 4] Here is a short extract of the FreeRadius output when I get rejected: modcall[authorize]: module files returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. -- I found a 'work-around' (using the Unix user), but could somebody explain me why do I get accepted or not depending on the Framed-Protocol == PPP flag sent in the request or not, and depending on the way I specify the user (file or Unix account)? Thanks a lot! Laurent - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Set Pool-Name based on Framed-Pool
Pasi Kärkkäinen wrote: users file: DEFAULT Framed-Pool == tech, Pool-Name := tech_ippool Fall-Through = 1 I can see the Framed-Pool attribute in proxy auth reply (with correct value), but when freeradius is processing users file, the above line does not match.. There is no Framed-Pool attribute in the request. You want to use the postproxy_users file. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: normal behaviour when Framed-Protocol = PPP is in the Auth request?
lolo wrote: I define a user in the users file following the examples given in the same file: MickeyAuth-Type :=Local, User-Password == mouse Reply-Message = Hello mickey mouse 1.1.5 will contain updated examples. You should be using: Mickey Cleartext-Password := mouse Reply-Message = Hello mickey mouse ... I found a 'work-around' (using the Unix user), but could somebody explain me why do I get accepted or not depending on the Framed-Protocol == PPP flag sent in the request or not, and depending on the way I specify the user (file or Unix account)? Read the debug output, as suggested in the FAQ, README, INSTALL, and daily on this list. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange problems in large proxy setup
My greetings to the list.
We have deployed a large setup using freeradius 1.1.3 in a proxy
configuration in front of FUNK radius. During the day we have about
150.000 concurrent DSL users online. Our setup takes the
access-request from the NAS, checks whether the user has any other
active sessions and if he is allowed to have a session the request is
proxied to the FUNK server that performs the actual authentication. So
the setup is a classical proxy setup. This policy decision of whether
the user is allowed to have a session is taken by a module we have
developed for this purpose (we call it rlm_concurrency). We use the
ldap module to find the maximum allowed sessions for a user.
Our setup involves no accounting, just authentication/authorization.
-----
| NAS | - | Freeradius | --- | FUNK |
-----
This is the actual config we have in our freeradius server:
authorize {
preprocess
# The following config instructs freeradius to stop processing
# requests if it matches the user in the local users file
files {
ok = return
}
ldap
concurrency
suffix
}
Here is a debugging output from freeradius with this config:
== Debugging output (radiusd -X) ==
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 62.103.1.111:1645, id=4, length=127
Framed-Protocol = PPP
User-Name = foouser
User-Password = XX
Calling-Station-Id = X
NAS-Port-Type = Async
Connect-Info = 33600/31200 V34+/V42bis/LAPM
NAS-Port = 4115
NAS-Port-Id = Async2/2
Service-Type = Framed-User
NAS-IP-Address = 62.103.1.111
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
modcall[authorize]: module preprocess returns ok for request 9
modcall[authorize]: module files returns notfound for request 9
rlm_ldap: - authorize
rlm_ldap: performing user authorization for foouser
radius_xlat: '((uid=foouser)(radiusAccountStatus=activated))'
radius_xlat: '...'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=..., with filter
((uid=foouser)(radiusAccountStatus=activated))
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusMaxLogins as Simultaneous-Use, value 1 op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user foouser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 9
rlm_concurrency: Found NAS-IP-Address: 62.103.1.111
rlm_concurrency: User: foouser, Max-Sessions found: 1
rlm_concurrency: Accepted User foouser. Active sessions: 0, Maximum allowed
sessions: 1
modcall[authorize]: module concurrency returns ok for request 9
rlm_realm: No '@' in User-Name = foouser, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Proxying request from user foouser to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Preparing to proxy authentication request to realm NULL
modcall[authorize]: module suffix returns updated for request 9
modcall: leaving group authorize (returns updated) for request 9
Sending Access-Request of id 9 to port 1645
Framed-Protocol = PPP
User-Name = foouser
User-Password = XX
Calling-Station-Id = XX
NAS-Port-Type = Async
Connect-Info = 33600/31200 V34+/V42bis/LAPM
NAS-Port = 4115
NAS-Port-Id = Async2/2
Service-Type = Framed-User
NAS-IP-Address = 62.103.1.111
Proxy-State = 0x34
--- Walking the entire request list ---
Waking up in 0 seconds...
...
Waking up in 0 seconds...
rad_recv: Access-Accept packet from host , id=9, length=107
Proxy-State = 0x34
Class =
0x5342522d434c20444e3d22646570616b222041543d22323030222055533d2053493d223630373737383736302200
Filter-Id = USER-FILTER-OUT.out
Framed-Protocol = PPP
Service-Type = Framed-User
authorize: Skipping authorize in post-proxy stage
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [foouser] (from client KARP3845 port 4115 cli 2237021227)
Sending Access-Accept of id 4 to 62.103.1.111 port 1645
Class =
0x5342522d434c20444e3d22646570616b222041543d22323030222055533d2053493d223630373737383736302200
Filter-Id = USER-FILTER-OUT.out
Framed-Protocol = PPP
Service-Type = Framed-User
== End Debugging output (radiusd -X) ==
We have noticed no problems with our module and also no problems
whatsoever in a low traffic testing environment. However we have observed
the following strange behaviour in our production setup with its high
Re: Strange problems in large proxy setup
Hi, active sessions and if he is allowed to have a session the request is proxied to the FUNK server that performs the actual authentication. So the setup is a classical proxy setup. This policy decision of whether whoah. steady on there. this is not a classical proxy setup. in a classical proxy setup ALL autentication is handled by a 3rd party. in this case you are doing an LDAP authorization on the FreeRADIUS box. the fact that this works on testing but not in high-volume production points a marked finger towards this LDAP process. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SOLVED] Freeradius Authentication to Actice Directory
Hi, I found the Problem: Some account names in the Active Directory were in uppercase, now i changed all to lowercase. And now it works with the lowercase login. glad to be of service alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange problems in large proxy setup
On Fri, Feb 23, 2007 at 02:49:57PM +, [EMAIL PROTECTED] wrote: Hi, active sessions and if he is allowed to have a session the request is proxied to the FUNK server that performs the actual authentication. So the setup is a classical proxy setup. This policy decision of whether whoah. steady on there. this is not a classical proxy setup. in a classical proxy setup ALL autentication is handled by a 3rd party. in this case you are doing an LDAP authorization on the FreeRADIUS box. OK you have a point there, my wording is incorrect. Yes, we do make an authorization decision in the freeradius box. the fact that this works on testing but not in high-volume production points a marked finger towards this LDAP process. The 'ldap process' you refer to is actually rlm_ldap and a tiny module of ours. However, we have never observed any issues with them, no error messages or any other logging messages. I believe I have a valid and quite simple (for my purposes of course) configuration. I make the authorization decision and if all OK, I proxy the request, otherwise I reject the request without proxying it. radiusd -X confirms that the configuration is correct, however I have this problem behaviour in large scale. My initial suspitions go to the proxying code to be honest, but I need to take a good look to grasp it. alan Kostas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange problems in large proxy setup
Kostas Zorbadelos wrote: radiusd -X confirms that the configuration is correct, however I have this problem behaviour in large scale. My initial suspitions go to the proxying code to be honest, but I need to take a good look to grasp it. I would try running the production radius in debugging mode and send the output to a file that you can review for anomalies. If it is happening often enough and you don't want to run the primary radius in debug mode, you could do it on the secondary and force a failover for a short time and try to catch it. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dial Up Admin Interface
- Original Message - From: Marc Hultquist [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, February 23, 2007 1:17 PM Subject: Re: Dial Up Admin Interface Have a look at the dialup_admin package which is available on freshmeat.net ! I believe the direct link to the project is - http://freshmeat.net/projects/dialup_admin/ ! Not sure if that is what you are looking for though. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The Dial up Admin Interface at sourceforge.net is out of the date, but in the freeradius-1.1.4.tar.gz have the lastest them. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[PATCH] When specifying the MODULES to build
Here's a small patch for configure.in: diff -ur freeradius-1.1.4-org/configure.in freeradius-1.1.4/configure.in --- freeradius-1.1.4-org/configure.in 2007-01-04 18:42:28.0 -0500 +++ freeradius-1.1.4/configure.in 2007-02-22 14:59:06.0 -0500 @@ -1057,17 +1057,19 @@ dnl dnl # make modules by list dnl # -if test x$EXPERIMENTAL = xyes; then - for foo in `ls -1 src/modules | grep rlm_`; do -MODULES=$MODULES $foo - done -else - dnl # - dnl # make ONLY the stable modules - dnl # - for foo in `cat src/modules/stable`; do -MODULES=$MODULES $foo - done +if [ -z $MODULES ]; then + if test x$EXPERIMENTAL = xyes; then + for foo in `ls -1 src/modules | grep rlm_`; do + MODULES=$MODULES $foo + done + else + dnl # + dnl # make ONLY the stable modules + dnl # + for foo in `cat src/modules/stable`; do + MODULES=$MODULES $foo + done + fi fi dnl # If not applied, calling configure --with-modules=eap sql would not do what it is supposed to do. -- == +--+ Martin Gadbois | Windows might take you from 0 to 60 faster, | S/W Developer | but to go to 100 you need Unix.| Colubris Networks Inc. +--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM_RADIUS
Hi, I'd like to know if FreeRadius Pam_RADIUS is still up to date ? Do you have any suggest to make it work with Red Hat Entreprise Linux 4 ? Thanks, Thomas- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[UPDATE] FreeRADIUS + LVS problem
According to my research, FreeRADIUS supposedly does work from behind an LVS load balancer. My current configuration works perfectly outside of the LVS, but once it is put behind the LVS it ceases to work. Connections seem to succeed even behind the LVS, until they get to an access challenge, where I get: rad_recv: Access-Challenge packet from host 192.168.240.111:5058, id=42, length=64 Authentication reply packet code 11 sent to a non- proxy reply port from client WPA_Test:5058 - ID 42 : IGNORED This was actually due to a buggy 3com access point. The real problem seems to have something to do with the way NAT interacts with radius. The Access-Request packets arrive at the backend server just fine: rad_recv: Access-Request packet from host 192.168.240.172:1031, id=0, length=209 Sending duplicate reply to client WPA_Test2.med-web.com:1031 - ID: 0 Re-sending Access-Challenge of id 0 to 192.168.240.172 port 1031 The AP's log doesn't show any indications of receiving them, so it would appear the problem is in the LVS/NAT, and probably doesn't have anything to do with the radius configuration. Feel free to call me out on this if you have an alternative explanation. -- Click for free info on online masters degrees and make $150K/ year http://tagline.hushmail.com/fc/CAaCXv1S74peFBJxEXqfDuyjOXwTvFQZ/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM_RADIUS
OK authentication works but not accounting whereas i have in etc/pam.d/system-auth : account sufficient /lib/security/$ISA/pam_radius_auth.so any idea why my REDHAT does not send any accounting ? Thomas Message du 23/02/07 à 17h39 De : [EMAIL PROTECTED] A : freeradius-users@lists.freeradius.org Copie à : Objet : PAM_RADIUS Hi, I'd like to know if FreeRadius Pam_RADIUS is still up to date ? Do you have any suggest to make it work with Red Hat Entreprise Linux 4 ? Thanks, Thomas [ (pas de nom de fichier) (0.1 Ko) ]- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Wait period between sessions
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Nixon Sent: Saturday, 24 February 2007 2:54 AM To: FreeRadius users mailing list Subject: Re: Wait period between sessions On Fri 23 Feb 2007 10:53, Alan DeKok wrote: Cory Robson wrote: I have a user group that is only allowed 3hr session times (easily resolved with sql counter module) with a 15 minute wait period between sessions. Has anyone written a module or know of a way to implement this wait period. A shell script would work. I was thinking something similar to a module based around the sql max session module only query the sql backend for the last time connected and if the period is less than set variable (15 mins in my case) then reject access with an error message like Wait Period Enforced Or, update the SQL query for Acct-Status-Type == Stop. Have it insert another field, saying when the user can next login. On login, check that field. I think you can do this without writing a module. Definitely yes. The question is what happens if the user manually disconnects prior to his session timeout then tries to reconnect In my needs he will still be subject to a wait period. Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ NOD32 2078 (20070223) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
