Re: freeradius ldap connector
Hi, you can see the debug. there are 7 searches for an uid that doesn't exist in the ldap directory: rlm_ldap: - authorize rlm_ldap: performing user authorization for X06dfdgdg radius_xlat: '(uid=X06dfdgdg)' radius_xlat: 'ou=PERSONNES,o=sg' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldaps://ldap-homo.sesme.group.scen, authentication 0 rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/cat-caconcerto-sogepa ss.pem rlm_ldap: setting TLS Require Cert to demand rlm_ldap: bind as sgzoneid=guards,ou=eloit,ou=personnes,o=sg/ghkhkk to ldaps: //ldap-homo.sesame.group.socgen rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=PERSONNES,o=sg, with filter (uid=X06dfdgdg) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=PERSONNES,o=sg' radius_xlat: '(uid=X06dfdgdg)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=PERSONNES,o=sg, with filter (uid=X06dfdgdg) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=PERSONNES,o=sg' radius_xlat: '(uid=X06dfdgdg)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=PERSONNES,o=sg, with filter (uid=X06dfdgdg) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=PERSONNES,o=sg' radius_xlat: '(uid=X06dfdgdg)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=PERSONNES,o=sg, with filter (uid=X06dfdgdg) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched DEFAULT at 116 modcall[authorize]: module files returns ok for request 0 modcall: group group returns ok for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=PERSONNES,o=sg' radius_xlat: '(uid=X06dfdgdg)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=PERSONNES,o=sg, with filter (uid=X06dfdgdg) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=PERSONNES,o=sg' radius_xlat: '(uid=X06dfdgdg)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=PERSONNES,o=sg, with filter (uid=X06dfdgdg) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=PERSONNES,o=sg' radius_xlat: '(uid=X06dfdgdg)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=PERSONNES,o=sg, with filter (uid=X06dfdgdg) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched DEFAULT at 116 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [X06dfdgdg] (from client sdfsfds por t 1 cli 192.18.136.19) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 165 to 192.18.136.44:1812 Reply-Message = forbidden. Waking up in 4 seconds... Message du 06/03/07 à 11h58 De : Michael Mitchell A : FreeRadius users mailing list Copie à : Objet : Re: freeradius ldap connector [EMAIL PROTECTED] wrote: I notice that Freeradius tries 6 times to find a user in my LDAP directory when this user doesn't existe. err, really? During authorisation (where a search is performed by a priviledged user) or during authentication (where an attempt may be made to bind to LDAP as the customer)? What does the debug say? (run radiusd with the -X flag). Is there a mean to make freeradius tries only one time ? It only tries once for me, but I only do LDAP authorisation. regards, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List
Re: freeradius ldap connector
[EMAIL PROTECTED] wrote: you can see the debug. there are 7 searches for an uid that doesn't exist in the ldap directory: Because you told the server to do that. Please read the debug log to see why. ... rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed ... users: Matched DEFAULT at 116 You have 7 uses of LDAP-Group in the users file. If you don't want the server to perform LDAP lookups, don't configure it to do LDAP lookups. And the LDAP lookups aren't cached in FreeRADIUS. Doing so would be wrong, for a whole host of reasons. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Building freeradius 1.1.5 packages on Debian
Hi I tried building Debian packages on the latest 1.1.5 and ended up with packages named 1.1.3, is that the way its supposed to be? Thanks. Nils O. Bekken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building freeradius 1.1.5 packages on Debian
Nils Olav Brandstorp Bekken wrote: Hi I tried building Debian packages on the latest 1.1.5 and ended up with packages named 1.1.3, is that the way its supposed to be? Obviously no. I'm not sure what to fix in the debian directory to get the correct version updated... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius simultenoues-use error
I am not getting u how do i query from shell script to NAS ?? and what is FR packet?? if u have any script example script can u send me i am in problem :( Dennis Skinner [EMAIL PROTECTED] wrote: satish patel wrote: User AcctStartTimeAcctStopTime abc 08/03/2007:01:30 1/1/1900 Now user can access internet and anything everything going fine but after when i stop radiusd proccess and start it my user disconnected and he/she try for login in to cisco VPDN he/she got error access deny and i got some log multiple user login Thu Mar 8 20:12:05 2007 : Auth: Multiple logins (max 1) : Looks like the problem isn't FreeRADIUS. The problem is that your NAS is not sending (or FR is not hearing) the stop packets for various reasons. You may need to write a cronjob that runs every minute that looks at your DB to find open connections and then polls your NAS to verify that info and update the DB with stop times if the session is gone. FreeRADIUS is doing exactly what you told it to do. Now go make the rest of your system behave or fudge it as I have described. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius simultenoues-use error
You already have a pearl script that does such ckecking. It's called checkrad.pl and it comes with freeradius. Ivan Kalik Kalik Informatika ISP Dana 9/3/2007, satish patel [EMAIL PROTECTED] piše: I am not getting u how do i query from shell script to NAS ?? and what is FR packet?? if u have any script example script can u send me i am in problem :( Dennis Skinner [EMAIL PROTECTED] wrote: satish patel wrote: User AcctStartTimeAcctStopTime abc 08/03/2007:01:30 1/1/1900 Now user can access internet and anything everything going fine but after when i stop radiusd proccess and start it my user disconnected and he/she try for login in to cisco VPDN he/she got error access deny and i got some log multiple user login Thu Mar 8 20:12:05 2007 : Auth: Multiple logins (max 1) : Looks like the problem isn't FreeRADIUS. The problem is that your NAS is not sending (or FR is not hearing) the stop packets for various reasons. You may need to write a cronjob that runs every minute that looks at your DB to find open connections and then polls your NAS to verify that info and update the DB with stop times if the session is gone. FreeRADIUS is doing exactly what you told it to do. Now go make the rest of your system behave or fudge it as I have described. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building freeradius 1.1.5 packages on Debian
Zitat von Alan DeKok [EMAIL PROTECTED]: Nils Olav Brandstorp Bekken wrote: Hi I tried building Debian packages on the latest 1.1.5 and ended up with packages named 1.1.3, is that the way its supposed to be? Obviously no. I'm not sure what to fix in the debian directory to get the correct version updated... Alan DeKok. afaik the debian package builder takes this information from the file debian/changelog. regards markus +-+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS, MySQL| | by order of the | |Computing Center of the Max-Planck-Institute of Biochemistry | +++ | E-Mail: [EMAIL PROTECTED] | Tel.: 089 - 89 40 85 99 | | [EMAIL PROTECTED] | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: [EMAIL PROTECTED] | +++ -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building freeradius 1.1.5 packages on Debian
Nils Olav Brandstorp Bekken wrote: I tried building Debian packages on the latest 1.1.5 and ended up with packages named 1.1.3, is that the way its supposed to be? The version number apart, your binaries should be correct. Just replace 1.1.3 by 1.1.5 in the file debian/changelog to fix that. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
query on MS-CHAPV2
Hi, I am using Freeradius 1.1.4 for testing my client for MS-CHAPV2. I am not clear with the final step of the MS-CHAPV2 authentication i.e. After receving MS-CHAP2-Success from radius server, which contains 42 byte of string, what client should do? From the draft, it looks client should use these string to authenticate server. But it it not clear from draft, how is generated by the server. Similary, how client should generate the same and authenticate the server ? Thanks in advance. - Sucker-punch spam with award-winning protection. Try the free Yahoo! Mail Beta.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius simultenoues-use error
i have checkrad.pl but this is not working my setup is freeradius-1.1.4 with MSSQL ( windows 2000 SQL ) and i have useing simulteneous-use with /etc/raddb/mssql.conf file and in raddb/radiusd.conf i have enable { session sql } when i run radwho i didnt get any online users how can i check checkrad perl script is there any option i have set NAS type other when i set it cisco my simuletenouse not working and this day my radiusd server automaticaly die i dont know why i am useing radwatch but it is still die and die which radius version is best for RHEL 4.0 redhat linux [EMAIL PROTECTED] wrote: You already have a pearl script that does such ckecking. It's called checkrad.pl and it comes with freeradius. Ivan Kalik Kalik Informatika ISP Dana 9/3/2007, satish patel pi¹e: I am not getting u how do i query from shell script to NAS ?? and what is FR packet?? if u have any script example script can u send me i am in problem :( Dennis Skinner wrote: satish patel wrote: User AcctStartTimeAcctStopTime abc 08/03/2007:01:30 1/1/1900 Now user can access internet and anything everything going fine but after when i stop radiusd proccess and start it my user disconnected and he/she try for login in to cisco VPDN he/she got error access deny and i got some log multiple user login Thu Mar 8 20:12:05 2007 : Auth: Multiple logins (max 1) : Looks like the problem isn't FreeRADIUS. The problem is that your NAS is not sending (or FR is not hearing) the stop packets for various reasons. You may need to write a cronjob that runs every minute that looks at your DB to find open connections and then polls your NAS to verify that info and update the DB with stop times if the session is gone. FreeRADIUS is doing exactly what you told it to do. Now go make the rest of your system behave or fudge it as I have described. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius simultenoues-use error
Thank dear tell me one thing 1) in freeradius two type of method to check simultenous login checking one is sql base query and second is checkrad perl script now i am useing simultenous-use attributes through SQL i have done some change in raddb/mssql.conf file simu_count and simu_very users this is working fine but know i want to check this thing not from sql i want to use checkrad perl script so what is the configuration for this I have read document on net but it is bit confusing me some author told put entry in naslist naspasswd and client.conf so i dont know where i put right entry ro start this thing and i have read one more thing checkrad script support cisco NAS and i have cisco router also i have enable snmp but i dont know how to check this checkrad script is it working or not can u explain me this thing caz i m suffer this thing. One more problem my radiusd server die again and again and i got this erro 1 *** glibc detected *** malloc() what is thus how can i resolve this one [EMAIL PROTECTED] wrote: # SNMP CONFIGURATION # # Snmp configuration is only valid if SNMP support was enabled # at compile time. # # To enable SNMP querying of the server, set the value of the # 'snmp' attribute to 'yes' # snmp= no $INCLUDE ${confdir}/snmp.conf This is in radius.conf. Change snmp = yes and checkrad should work with nastype set to cisco. If you want to get rid of all stale sessions delete them with SQL oneliner like: delete from radacct where AcctStopTime=0 AcctStartTime '2007-3-8' (this is MySQL - MSSQL syntax might be slightly different) This will delete all open sessions up to today. Ivan Kalik Kalik Informatika ISP Dana 8/3/2007, satish patel pi¹e: Dear all i fedup from this problem i dont know how to resolve it no one help me out from this problem i have freradius-1.1.4 + MSSQL setup user databases and accouting done by mssql and my NAS is cisco router with VPDN configuration but i have faceing some problem since last week suposse one user login in to cisco router and he/she accouting start on MSSQL server i am useting simultenouse-use feature in SQL example radacct tables User AcctStartTimeAcctStopTime abc 08/03/2007:01:30 1/1/1900 Now user can access internet and anything everything going fine but after when i stop radiusd proccess and start it my user disconnected and he/she try for login in to cisco VPDN he/she got error access deny and i got some log multiple user login Thu Mar 8 20:12:05 2007 : Auth: Multiple logins (max 1) : [mlpm484/] (from client cisco port 974) Thu Mar 8 20:12:08 2007 : Auth: Multiple logins (max 1) : [mlpm629/] (from client cisco port ) Thu Mar 8 20:12:10 2007 : Auth: Multiple logins (max 1) : [mlpm484/] (from client cisco port 460) Thu Mar 8 20:12:14 2007 : Auth: Multiple logins (max 1) : SomeThing like this it means in MSSQL AcctStopTime there is i still user login means that entry is not still clear thats why i got error 'Multiple logins (max 1)' in my client.conf file NAStype is other caz when i user cisco nastype my Simulteneous-use not working ?? so i thing this detail enough for help plz tell me right suggesstion if i am wrong $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Here#65533;s a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
*** glibc detected *** malloc()
I have freeradius version 1.1.4 latest and i am useing it with cisco VPDN with MSSQL database and i got this error .. and this is my production server many users accounting runing on this server .what the hell it is my radius die again and again i also started radwatch but it;s still die $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd -x show me unwanted thing
Dear all I have useing freeradius + vpdn + mssql but when no one use login 2 cisco vpdn it show me accounting of users how me some user accouning i don't know why ??? some thing like this Service-Type = Framed-User NAS-IP-Address = 192.168.1.1 Acct-Delay-Time = 0 rlm_sql (sql): Reserving sql socket id: 4 query: INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPort, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('AECD', 'a36f3c2d52d02639', 'mlpm677', '', '192.168.1.1', '', 'Virtual', '2007-03-09 19:43:11', '0', 'RADIUS', '', '', '0', '0', '', '', '', 'Framed-User', 'PPP', '', '0', '0') rlm_sql (sql): Released sql socket id: 4 Sending Accounting-Response of id 69 to 192.168.1.1 port 1646 rad_recv: Accounting-Request packet from host 192.168.1.1:1646, id=70, length=213 Acct-Session-Id = ADCC Tunnel-Server-Endpoint:0 = 192.168.1.1 Tunnel-Client-Endpoint:0 = 10.0.54.18 Tunnel-Assignment-Id:0 = tulip Framed-Protocol = PPP Framed-IP-Address = 10.100.18.11 User-Name = mlpm607 Cisco-AVPair = connect-progress=LAN Ses Up Acct-Session-Time = 1797 Acct-Input-Octets = 466393 Acct-Output-Octets = 2625282 Acct-Input-Packets = 3259 Acct-Output-Packets = 3335 Acct-Authentic = RADIUS Acct-Status-Type = Interim-Update NAS-Port-Type = Virtual Cisco-NAS-Port = Uniq-Sess-ID337 NAS-Port = 337 Service-Type = Framed-User NAS-IP-Address = 192.168.1.1 Acct-Delay-Time = 0 rlm_sql (sql): Reserving sql socket id: 3 query: UPDATE radacct SET FramedIPAddress = '10.100.18.11', AcctSessionTime = '1797', AcctInputOctets = '466393', AcctOutputOctets = '2625282' WHERE AcctSessionId = 'ADCC' AND UserName = 'mlpm607' AND NASIPAddress= '192.168.1.1' rlm_sql (sql): Released sql socket id: 3 Sending Accounting-Response of id 70 to 192.168.1.1 port 1646 But user still not login then what is this $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP and System users?
Hi, We've been working on having a setup that can authenticate users against LDAP via EAP (Chap) as well as System users. We can get it to do one or the other, but not both. Is it possible to do both? If so, how? Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: *** glibc detected *** malloc()
satish patel wrote: I have freeradius version 1.1.4 latest and i am useing it with cisco VPDN with MSSQL database and i got this error .. and this is my production server many users accounting runing on this server .what the hell it is my radius die again and again i also started radwatch but it;s still die It looks like a bug in the mssql driver in FreeRADIUS. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius simultenoues-use error
satish patel wrote: I am not getting u how do i query from shell script to NAS ?? See your NAS docs. SNMP may be an option if the NAS supports it (and FR may be able to handle the query itself as another poster suggested), but there may be other ways For instance, we have a couple scripts we use when we want to boot a particular user. They are simple bash scripts that use expect to handle logging into our cisco modems and look for the tty that the user is on and then clear that tty. It has limitations as the cisco show users command only shows so many characters of the username, but it is used rarely and only by me. This option may work for you depending on your situation. and what is FR packet?? I said that FR (FreeRADIUS) may not hear the stop packet (the stop accounting record) from the NAS. if u have any script example script can u send me i am in problem :( Have a look at bash scripting and expect. It is fairly simple and you may be able to get away with it. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius ldap connector
OK thanks Message du 09/03/07 à 09h52 De : Alan DeKok A : [EMAIL PROTECTED], FreeRadius users mailing list Copie à : Objet : Re: freeradius ldap connector [EMAIL PROTECTED] wrote: you can see the debug. there are 7 searches for an uid that doesn't exist in the ldap directory: Because you told the server to do that. Please read the debug log to see why. ... rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed ... users: Matched DEFAULT at 116 You have 7 uses of LDAP-Group in the users file. If you don't want the server to perform LDAP lookups, don't configure it to do LDAP lookups. And the LDAP lookups aren't cached in FreeRADIUS. Doing so would be wrong, for a whole host of reasons. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and System users?
Matt Ashfield wrote: We've been working on having a setup that can authenticate users against LDAP via EAP (Chap) as well as System users. http://deployingradius.com/documents/protocols/compatibility.html LDAP doesn't do CHAP, so I'm not sure what you mean. The only EAP methods that are compatible with /etc/password is EAP-GTC, or TTLS with tunneled PAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP and System users?
I guess what I meant was that we'd want to authenticate the user in one of two ways: (1) as a System User. So the clients credentials would be compared against the system users, OR, if no such user exists (2) verify the client against credentials stored in LDAP. Both of these scenarios work individually. Meaning I can configure FR to authenticate System users. I can also configure FR to authenticate against LDAP. But we cannot seem to combine them and offer both options. Matt [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: March 9, 2007 11:21 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: EAP and System users? Matt Ashfield wrote: We've been working on having a setup that can authenticate users against LDAP via EAP (Chap) as well as System users. http://deployingradius.com/documents/protocols/compatibility.html LDAP doesn't do CHAP, so I'm not sure what you mean. The only EAP methods that are compatible with /etc/password is EAP-GTC, or TTLS with tunneled PAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and System users?
Matt Ashfield wrote: I guess what I meant was that we'd want to authenticate the user in one of two ways: (1) as a System User. So the clients credentials would be compared against the system users, OR, if no such user exists (2) verify the client against credentials stored in LDAP. See doc/configurable_failover. It's easier in the CVS head, because the unix module doesn't have an authenticate section any more, as it doesn't need one. There, you can do: group { unix { updated = return } ldap } Both of these scenarios work individually. Meaning I can configure FR to authenticate System users. I can also configure FR to authenticate against LDAP. But we cannot seem to combine them and offer both options. Perhaps you could paste part of your configuration part of the debug log. Odds are you're forcing system authentication, so that works... OR you're forcing LDAP, so that works. But forcing one means that the other is forbidden. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius simultenoues-use error
You have a document Simultaneous-Use in /usr/local/share/doc/freeradius-version. See if that is helpful. Best thing to do is to have a look at the script and see if you can switch on logging or debugging somewhere. Then try running it manually and see what happens. It might not be pulling NAS information properly. No radwho output? How about radlast - does it have recent entries or from some days ago (or none at all)? Can you paste the part od radiusd -X output when that error occurs? Ivan Kalik Kalik Informatika ISP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of satish patel Sent: 09 March 2007 14:06 To: FreeRadius users mailing list Subject: Re: freeradius simultenoues-use error Thank dear tell me one thing 1) in freeradius two type of method to check simultenous login checking one is sql base query and second is checkrad perl script now i am useing simultenous-use attributes through SQL i have done some change in raddb/mssql.conf file simu_count and simu_very users this is working fine but know i want to check this thing not from sql i want to use checkrad perl script so what is the configuration for this I have read document on net but it is bit confusing me some author told put entry in naslist naspasswd and client.conf so i dont know where i put right entry ro start this thing and i have read one more thing checkrad script support cisco NAS and i have cisco router also i have enable snmp but i dont know how to check this checkrad script is it working or not can u explain me this thing caz i m suffer this thing. One more problem my radiusd server die again and again and i got this erro 1 *** glibc detected *** malloc() what is thus how can i resolve this one [EMAIL PROTECTED] wrote: # SNMP CONFIGURATION # # Snmp configuration is only valid if SNMP support was enabled # at compile time. # # To enable SNMP querying of the server, set the value of the # 'snmp' attribute to 'yes' # snmp = no $INCLUDE ${confdir}/snmp.conf This is in radius.conf. Change snmp = yes and checkrad should work with nastype set to cisco. If you want to get rid of all stale sessions delete them with SQL oneliner like: delete from radacct where AcctStopTime=0 AcctStartTime '2007-3-8' (this is MySQL - MSSQL syntax might be slightly different) This will delete all open sessions up to today. Ivan Kalik Kalik Informatika ISP Dana 8/3/2007, satish patel pi¹e: Dear all i fedup from this problem i dont know how to resolve it no one help me out from this problem i have freradius-1.1.4 + MSSQL setup user databases and accouting done by mssql and my NAS is cisco router with VPDN configuration but i have faceing some problem since last week suposse one user login in to cisco router and he/she accouting start on MSSQL server i am useting simultenouse-use feature in SQL example radacct tables User AcctStartTime AcctStopTime abc 08/03/2007:01:30 1/1/1900 Now user can access internet and anything everything going fine but after when i stop radiusd proccess and start it my user disconnected and he/she try for login in to cisco VPDN he/she got error access deny and i got some log multiple user login Thu Mar 8 20:12:05 2007 : Auth: Multiple logins (max 1) : [mlpm484/] (from client cisco port 974) Thu Mar 8 20:12:08 2007 : Auth: Multiple logins (max 1) : [mlpm629/] (from client cisco port ) Thu Mar 8 20:12:10 2007 : Auth: Multiple logins (max 1) : [mlpm484/] (from client cisco port 460) Thu Mar 8 20:12:14 2007 : Auth: Multiple logins (max 1) : SomeThing like this it means in MSSQL AcctStopTime there is i still user login means that entry is not still clear thats why i got error 'Multiple logins (max 1)' in my client.conf file NAStype is other caz when i user cisco nastype my Simulteneous-use not working ?? so i thing this detail enough for help plz tell me right suggesstion if i am wrong $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com - Here�s a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com _ Here’s a new way to find what you're looking for - Yahoo! http://us.rd.yahoo.com/mail/in/yanswers/*http://in.answers.yahoo.com/ Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.1.5 double free or corruption
Hi, I have built freeradius-1.1.5 with mysql, ldap and openssl on CentOS 4.4 Everything looks ok (configure, make, make install), but when running the server, it dies. [EMAIL PROTECTED] freeradius-1.1.5]$ sudo /opt/freeradius-1.1.5-1/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /opt/freeradius-1.1.5-1/etc/raddb/proxy.conf Config: including file: /opt/freeradius-1.1.5-1/etc/raddb/clients.conf Config: including file: /opt/freeradius-1.1.5-1/etc/raddb/snmp.conf Config: including file: /opt/freeradius-1.1.5-1/etc/raddb/eap.conf Config: including file: /opt/freeradius-1.1.5-1/etc/raddb/sql.conf main: prefix = /opt/freeradius-1.1.5-1 main: localstatedir = /opt/freeradius-1.1.5-1/var main: logdir = /opt/freeradius-1.1.5-1/var/log/radius main: libdir = /opt/freeradius-1.1.5-1/lib main: radacctdir = /opt/freeradius-1.1.5-1/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /opt/freeradius-1.1.5-1/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /opt/freeradius-1.1.5-1/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /opt/freeradius-1.1.5-1/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /opt/freeradius-1.1.5-1/lib *** glibc detected *** double free or corruption (fasttop): 0x098a55d8 *** Aborted If it helps, here's the end of an strace: open(/opt/freeradius-1.1.5-1/etc/raddb/realms, O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0640, st_size=187, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f76000 read(3, #\n#\tTHIS FILE IS DEPRECATED.\n#\n#..., 4096) = 187 read(3, , 4096) = 0 close(3)= 0 munmap(0xb7f76000, 4096)= 0 getrlimit(RLIMIT_CORE, {rlim_cur=0, rlim_max=RLIM_INFINITY}) = 0 stat64(/opt/freeradius-1.1.5-1/var/log/radius, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getgid32() = 0 open(/etc/services, O_RDONLY) = 3 fcntl64(3, F_GETFD) = 0 fcntl64(3, F_SETFD, FD_CLOEXEC) = 0 fstat64(3, {st_mode=S_IFREG|0644, st_size=20373, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f76000 read(3, # /etc/services:\n# $Id: services..., 4096) = 4096 read(3, 123/tcp\nntp\t\t123/udp\t\t\t\t# Networ..., 4096) = 4096 read(3, \t\t873/tcp\t\t\t\t# rsync\nrsync\t\t873/..., 4096) = 4096 close(3)= 0 munmap(0xb7f76000, 4096)= 0 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3 bind(3, {sa_family=AF_INET, sin_port=htons(1812), sin_addr=inet_addr(0.0.0.0)}, 16) = 0 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4 bind(4, {sa_family=AF_INET, sin_port=htons(1813), sin_addr=inet_addr(0.0.0.0)}, 16) = 0 time(NULL) = 1173470425 write(1, radiusd: entering modules setup..., 33radiusd: entering modules setup ) = 33 time(NULL) = 1173470425 write(1, Module: Library search path is /..., 59Module: Library search path is /opt/freeradius-1.1.5-1/lib ) = 59 open(/opt/freeradius-1.1.5-1/lib/rlm_exec.la, O_RDONLY) = 5 fstat64(5, {st_mode=S_IFREG|0755, st_size=895, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f76000 read(5, # rlm_exec.la - a libtool librar..., 4096) = 895 read(5, , 4096) = 0 close(5)= 0 munmap(0xb7f76000, 4096)= 0 futex(0xa98060, FUTEX_WAKE, 2147483647) = 0 open(/opt/freeradius-1.1.5-1/lib/rlm_exec.a, O_RDONLY) = 5 read(5, !arch\n/ 11734703..., 512) = 512 close(5)= 0 open(/opt/freeradius-1.1.5-1/lib/rlm_exec-1.1.5.so, O_RDONLY) = 5 read(5, \177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\270\10..., 512) = 512 fstat64(5, {st_mode=S_IFREG|0755, st_size=17018, ...}) = 0 old_mmap(NULL, 9308, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0xf7a000
sql_counter
Hi all, somebody knows how to pass external variables to sql_counter modules? and especially CallingStationId? I'd like to pass macaddress of pc makes the request. Thank's in advance, ciao! -- Pierluigi Di Lorenzo ePrometeus s.r.l - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql_counter
Hi all, somebody knows how to pass external variables to sql_counter modules? and especially CallingStationId? I'd like to pass macaddress of pc making the request. Thank's in advance, ciao! -- Pierluigi Di Lorenzo ePrometeus s.r.l - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authenticating multiple modules?
Freeradius experts, I want to use one freeradius server to authenticate against a system file for students and against ldap for faculty/staff. I can get the system file to work alone. I can get the ldap module to work alone. But I can't seem to find a way to get both of them to work together. If I set DEFAULT Auth-Type = System in the users file, it authenticates the system files. If I set it to ldap, it authenticates to ldap. If I put both in the users file, it authenticates ldap users only. How do I allow both unix and ldap modules to authenticate their respective users? Note: users are unique to each module. A user in unix does not exist in ldap and vice versa. Tim Tyler Network Engineer - Beloit College [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating multiple modules?
Dana 9/3/2007, Tim Tyler [EMAIL PROTECTED] piše: Freeradius experts, I want to use one freeradius server to authenticate against a system file for students and against ldap for faculty/staff. I can get the system file to work alone. I can get the ldap module to work alone. But I can't seem to find a way to get both of them to work together. If I set DEFAULT Auth-Type = System in the users file, it authenticates the system files. If I set it to ldap, it authenticates to ldap. If I put both in the users file, it authenticates ldap users only. How do I allow both unix and ldap modules to authenticate their respective users? Note: users are unique to each module. A user in unix does not exist in ldap and vice versa. Tim Tyler Network Engineer - Beloit College [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with vpn
Marilene Lima ha scritto: Hi, I am with a big problem. I configured the freeradius and mysql with linux debian. When I use the radtest, I receive a sucess message: # radtest joao senhasecreta 10.0.164.71 1812 radius_secret Sending Access-Request of id 69 to 10.0.164.71:1812 User-Name = joao User-Password = senhasecreta NAS-IP-Address = wireless6e NAS-Port = 1812 rad_recv: Access-Accept packet from host 10.0.164.71:1812, id=69, length=20 wireless6e:~# But, when I try to access from a client windows, through a vpn, the freeradius not respond. I configured the vpn server with the ip of vpn server. Thanks a lot, Marilene - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html perhaps firewall blocks packets udp on 1812 try pinging or connetting to another service and see what is wrong -- Pierluigi Di Lorenzo ePrometeus s.r.l - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlcounter reauthentication flag
Hi, I just heard about a so-called reauthentication flag. Has this something to do with the sqlcounter-module? Could I use this flag to logout the clients automatically after their login expires instead of using the sqlcounter module (as I do not get a self-compiled fr running properly)? How would I have to use it, is there some documentation somewhere? If I use neither sqlcounter nor this flag, do I understand correct, that the clients would not be logged off automatically after their login expires? But they could not login again after expiration? Thanks for this hint, Jan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR supported attributes
Radius attributes - http://www.freeradius.org/rfc/attributes.html . You actually invent sqlcounter attributes yourself by making the appropriate SQL query. Ivan Kalik Kalik Informatika ISP Dana 9/3/2007, PD [EMAIL PROTECTED] piše: Hi all, Where to find all of FR supported attributes ? I just try rlm_sqlcounter module with noresetconter script and Max-All-Session attribute and they are working fine. And I've plan to add another attribute called expiration (?) and need the correct syntax how to use it. Where to find my needs ? TIA PD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR supported attributes
On 3/10/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Radius attributes - http://www.freeradius.org/rfc/attributes.html . Thx, but I can not find expiration attribute on the aboce list. But I do find 'Expiration' at dictionary.freeradius.internal and also small (not enough information) explanation at http://wiki.freeradius.org/Radiusd.conf PD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR supported attributes
Unfortunatelly, I found the answer of the similar question. see http://www.arcknowledge.com/gmane.comp.freeradius.user/2003-02/msg00671.html Well.. just to make sure, can Expiration attribute work together with Max-All-Session attribute ? The case is suppose to create an account for 10 hours but only valid one week after the creation date. TIA PD On 3/10/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Radius attributes - http://www.freeradius.org/rfc/attributes.html . You actually invent sqlcounter attributes yourself by making the appropriate SQL query. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Correction of Reply Messages
Dear all, Sorry for cross post... since I doubt about which area of this question. I just create one account call test for duration 300 second / 5 minutes. After the maximum time reached, I logged by the system out. When I try to log in again, the reply message display is Your maximum never usage time has been reached Seems that I have some correction for the message (take out never), but I do not know how to do it. Can some one let me know where to edit the above reply message ? TIA PD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP Address based proxy forward
Hello, I’ve added a test line in freeradius 1.1.1 users file : TestUser Client-IP-Address == 192.168.1.128/28, Proxy-To-Realm := ServerA proxy.conf contains the realm definition... I’ve restarted the freeradius deamon for the server to take care of the changes. -- when I send a request from a NAC with the IP address 192.168.1.129, it does not work as described in the debug output : modcall[authorize]: module files returns notfound for request 34 Does anymone has an idea why it does not work ? Philippe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html