Triple Play Service Accouting Suggestion
Hi all iam planning to deploy DSL Services along with Triple play service I would like to use FreeRadius for my test application/ and performance well going to live environment could some suggest me. is this Free Radius can be used for this kind of application if this supports, can some one guide me to URL where i can integrate all Services thanks ram - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: radtest fails local test
Freeradius 1.1.3 smb.conf http://pastebin.ca/437671 radius.conf http://pastebin.ca/437670 clients.conf http://pastebin.ca/437668 eap.conf http://pastebin.ca/437667 krb5.conf http://pastebin.ca/437666 How do I configure the users file to authenticate against the AD, the howto I followed says u do not need to configure the users file. I read the users.txt man page but it wasnt any help. My krb5.conf is properly configured, running ntlm_auth from the command line works perfectly. Is there any howto that actually covers this properly. On 4/13/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: A local test using radtest fails but I am unsure why. It looks like its trying to authenticate against the unix passwd file, Yes. See the users file. It sets authentication to /etc/passwd (or system) if there's no other method set. I only need FR to auth against our w2k3 AD server. Any help is appreciated. For PAP authentication, you have to configure that manually. i.e. tell the server if you receive PAP, run ntlm_auth to authenticate against AD. See the exec module for how to run external programs. It looks like you didn't tell the server to authenticate against AD. Please do so. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD2003 Authentication ERROR - Help please !
ok will try another user, thanks again for the tips allan. On 4/13/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: I start the wireless connection on XP, enter in user and password, freeradius runs the ntlm_auth command but then it spits out this hge message. Its so big the terminals buffer isnt big enough, but I have copied and pasted everything I can. $ script logfile $ radiusd -X ... $ exit $ more logfile SSL ERROR: (other): SSL negotiation finished successfully rlm_eap: SSL error error::lib(0):func(0):reason(0) That's fixed in 1.1.6. It's not an error, it just logs too much information. Failure to validate user: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain= --username=Administrator --challenge=bb4c397988ae6ebc --nt-response=4a7cd9abdfc2f92680c182845a937f4beb6646c4cddd7de1 Exec-Program output: No such user (0xc064) Exec-Program-Wait: plaintext: No such user (0xc064) The ntlm_auth program returns that there's no such user. Maybe you should try testing with a user other than Administrator. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.6 crashes on fedora 6
there could be some libs lurking around, but for the moment I will stick with 1.1.3 until I resolve these authentication issues. My Job depends on it. On 4/13/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: *** glibc detected *** ./sbin/radiusd: double free or corruption ... Its pretty much the same issue I had with 1.1.5 on fedora 6 Are you sure you've removed all of the 1.1.5 libraries and binaries? And the immediate cause of the bug appears to be libltdl, if the backtrace can be believed. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: radtest fails local test
Jacob Jarick wrote: How do I configure the users file to authenticate against the AD, the howto I followed says u do not need to configure the users file. If you're using PEAP, yes. If you're just using PAP, you need to tell the server what to do. I read the users.txt man page but it wasnt any help. My krb5.conf is properly configured, running ntlm_auth from the command line works perfectly. So... when I said you need to run ntlm_auth, and you could use the exec module to do that, what conclusion did you reach? Or, you can replace the reference to System in the users file with Kerberos. But be sure you've told FreeRADIUS to use the kerberos module. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: radtest fails local test
smb.conf http://pastebin.ca/437671 radius.conf http://pastebin.ca/437670 clients.conf http://pastebin.ca/437668 eap.conf http://pastebin.ca/437667 krb5.conf http://pastebin.ca/437666 OK, some more googling :P and Ive turned up this intresting howto which I will be trialing: http://deployingradius.com/documents/configuration/active_directory.html It covers Configuring FreeRADIUS to use ntlm_auth in a bit more detail than the last one. On 4/13/07, Jacob Jarick [EMAIL PROTECTED] wrote: Freeradius 1.1.3 smb.conf http://pastebin.ca/437671 radius.conf http://pastebin.ca/437670 clients.conf http://pastebin.ca/437668 eap.conf http://pastebin.ca/437667 krb5.conf http://pastebin.ca/437666 How do I configure the users file to authenticate against the AD, the howto I followed says u do not need to configure the users file. I read the users.txt man page but it wasnt any help. My krb5.conf is properly configured, running ntlm_auth from the command line works perfectly. Is there any howto that actually covers this properly. On 4/13/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: A local test using radtest fails but I am unsure why. It looks like its trying to authenticate against the unix passwd file, Yes. See the users file. It sets authentication to /etc/passwd (or system) if there's no other method set. I only need FR to auth against our w2k3 AD server. Any help is appreciated. For PAP authentication, you have to configure that manually. i.e. tell the server if you receive PAP, run ntlm_auth to authenticate against AD. See the exec module for how to run external programs. It looks like you didn't tell the server to authenticate against AD. Please do so. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: radtest fails local test
Alan, Thanks so much for your advice mate. I got it going finally ! For people out there looking todo a similar setup here is my short mini howto: 1 Install Kerberos 2 Install OpenSSL 3 Install Samba 4 Follow the FreeRadius Tutorial for AD intergration: http://www.swami.se/swami/space/Categories/EduRoam/Workshop+about+eduroam+implementation/freeRadius_AD_tutorial.pdf 5: Follow this guide, particulary the part about Configuring FreeRADIUS to use ntlm_auth http://deployingradius.com/documents/configuration/active_directory.html On 4/13/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: How do I configure the users file to authenticate against the AD, the howto I followed says u do not need to configure the users file. If you're using PEAP, yes. If you're just using PAP, you need to tell the server what to do. I read the users.txt man page but it wasnt any help. My krb5.conf is properly configured, running ntlm_auth from the command line works perfectly. So... when I said you need to run ntlm_auth, and you could use the exec module to do that, what conclusion did you reach? Or, you can replace the reference to System in the users file with Kerberos. But be sure you've told FreeRADIUS to use the kerberos module. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: radtest fails local test
Hi, and Ive turned up this intresting howto which I will be trialing: http://deployingradius.com/documents/configuration/active_directory.html yep -the official FreeRADIUS wiki/book combo from Alan D alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.6 crashes on fedora 6
Jacob Jarick wrote: *** glibc detected *** ./sbin/radiusd: double free or corruption (fasttop): 0x09f91ca8 *** === Backtrace: = /lib/libc.so.6[0xcbfefd] /lib/libc.so.6(cfree+0x90)[0xcc3550] /usr/local/lib/libltdl.so.3[0x3d55db] /usr/local/lib/libltdl.so.3(lt_dlopenext+0xbe)[0x3d5f6e] You could try to use the libltdl from Fedora instead of the one from the FreeRADIUS sources. $ ./configure --with-system-libtool You could also try to build a RPM package from sources, this will toggle the option for you. See the wiki for more details. http://wiki.freeradius.org/Build#Building_RedHat_packages -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialupadmin and php5 (was: FreeRADIUS 1.1.6 has been released)
Markus Krause wrote: I just downloaded the 1.1.6 release via ftp and tried to build debian packages on Etch and rpms on SLES10, here is the almost successful story: ;-) Thanks for the feedback. i am not sure, debian etch (released on 8. april) contains both php4 and php5 and i think there might be a lof users/admins which still use/prefer php4 on their systems. so what about something like - Package: freeradius-dialupadmin Architecture: all Depends: php4 | php4-cgi | php5 | php5-cgi I'm not using dialupadmin, so I'm not sure if it works cleanly with php5. I'd like to get report it is the case before editing the Depends line. I also note there is a related report on the Debian BTS. However the reporter didn't provide feedback whether dialupadmin works with php5 or not. http://bugs.debian.org/412701 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log on device directly in priviledged mode
Molteni Davide [EMAIL PROTECTED] writes: Finally I successfully managed to log into the cisco switch (thanks to your help) using freeradius. Now I want that the radius users can directly enter into enable mode of the cisco device. I set this in the users file test Auth-Type := Local, User-Password == test Cisco-AVPair = shell:priv-lvl=15 but it doesn't work, the user test log into the cisco as unpriviledged. Is this a CatOS switch? Then this should work: test Auth-Type := Local, User-Password == test Service-Type = Administrative-User See http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094ea4.shtml#f Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP changes between 1.01 and 1.1.5
O/H Alan DeKok έγραψε: Ryan Kramer wrote: I SUSPECT something might not be escaped in a manner the MS AD server likes, or maybe just the fact it has any escape sequences built in at all is what is causing it to toss it. No. As I have said already, the problem is that the LDAP queries are being escaped. Please pay attention to what I'm saying, it might help you solve the problem. The default install does not do this. The default configuration does not do this. Other people have not run into this problem. The problem is almost definitely the way you are building the queries. i.e. the LDAP queries are built up as: text from config file ldap_escape(other text) text from config ... The text that you, as administrator entered into the configuration file is NEVER escaped. The text that a random user enters as a User-Name is ALWAYS escaped. the problem is with the groupmembership_filter. It contains the Ldap-UserDn attribute which gets xlated and escaped: (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) A DN usually contains commas which get escaped and break the ldap search. I am not so sure why we should escape ',' in the first place. That way we break any ldap searches for attribute values holding DN's. If you're putting queries into an attribute, and then later using that attribute as part of another query, that text WILL be escaped. The server has no way of telling where that text came from, so it's untrusted. The solution is to carefully examine how you build the queries. There may be simpler ways of doing it, which avoids the double escaping issue. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
Arran Cudbard-Bell wrote: Techs will also want to test switches in new installs , and they won't like waiting a day for configuration changes to take effect like users won't like the service going down every hour , although we could stagger the server restarts In reality I expect the users wouldn't even notice. It takes only a second or two to start the RADIUS server at the very most - most cases would be measured in milliseconds. With two or more redundant servers, that should be well inside the retry period of most NAS's. The risk is that the server may not come back up (eg error in the configuration that was changed) which makes automatic restarts or reloads potentially dangerous. regards, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assigning vlan based on NAS and LDAP field?
O/H Matt Ashfield έγραψε: HI all, We're using FR authenticating against LDAP to implement our wireless solution. Basically, we are looking at the LDAP field of record type and determining if it is a staff or a student, and assigning a vlan based on that. Pretty simple and it works. However, there are two issues with this: 1. We have a sister campus, on a different network, but who are sharing the same FR and LDAP servers for authentication. Obviously their NAS's are different than ours because we're in different physical locations and networks. With our current configuration, it looks like we have to define the exact same vlans id's and the same vlan eligibility rules (ie staff get vlan x and student get vlan y) in order for this to work. I guess I'm hoping there is a way to assign different vlans based on the NAS ip address in addition to the student/staff distinction. You can use multiple ldap module instances and set Autz-Type depending on the nas ip address (or better yet huntgroups) 2. This follows into our future wired side implementation of 802.1x. In this case, we don't want our staff/student wired users to be assigned to the same vlans as they would be if they were on wireless. Rather we'd prefer to break them up based on their NAS or something like that. Anyways, I realize this is quite an odd situation, but probably quite similar to what many EDU people are encountering. Any help/advice is greatly appreaciated. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Generating new EAP demo certs for freeradius
Hi I have just install the package of freeradius using yum which is available for fedora 6. However, I found that the demo cert in the server for EAP is expired and can't be installed on my client. I'm trying to generate a new cert by using the script cert.sh. However, it seems that the package does not come with such a script. Am I able to download this from somewhere so that I can generate new sets of certifcates? Rgds Andrea - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on sigHUP
O/H Alan DeKok έγραψε: Milan Holub wrote: - we are keeping NAS entries in DB. Then the server should re-load them via reading the DB. - these entries are edited by operation guys via web interface - when a new NAS entry is added then we need to reload/restart freeradius - we reload freeradius using SNMP write query(can be done via web interface as well; without need of ssh to radius server) If the server automatically discovers NAS changes from the DB, then the server doesn't need to be reloaded. i.e. You're changing *one* thing: a NAS. You're then telling the server to reload *everything*. That's where the expense and complexity comes in. The problem is: You add one NAS. But you need to update the clients list. To do that you have to lock the clients list for write and make sure no one reads it. That means you have to stop accepting requests and wait for already present ones to finish. Afterwards you just have to start accepting requests again. The same more or less applies to changes on module configuration (CRLs for TLS, users for the files module). You have to reload the module and in the meantime make sure no one uses it (and the best way to do that is by stop accepting requests). This all sounds like the work done on a HUP so i don't see any major differences. In general when restarting the server you might loose some radius packets(especially on high loaded server), don't you? It's possible. == what do you imagine under these features? Basically I thought HUP is good for reloading config files when one does not want to bring the server down but wants to bring into effect some minor config change. I am trying to say that there are OTHER ways to perform some minor config change than HUP. HUP should be the *last* resort. == is there any other use of HUP? No. HUP is *only* to notify the server of configuration changes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP changes between 1.01 and 1.1.5
the problem is with the groupmembership_filter. It contains the Ldap-UserDn attribute which gets xlated and escaped: (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) A DN usually contains commas which get escaped and break the ldap search. I am not so sure why we should escape ',' in the first place. That way we break any ldap searches for attribute values holding DN's. This is correct. For info the python-ldap module contains a function: def escape_filter_chars(assertion_value): Replace all special characters found in assertion_value by quoted notation s = assertion_value.replace('\\', r'\5c') s = s.replace(r'*', r'\2a') s = s.replace(r'(', r'\28') s = s.replace(r')', r'\29') s = s.replace('\x00', r'\00') return s ...implying that only \*()NUL need be escaped? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql: Bug in stripping output of dynamic strings {sql:...}
Hi all, - latest CVS head - mysql Ver 14.7 Distrib 4.1.8, for pc-linux-gnu (i386) - FreeRADIUS Version 2.0.0-pre0, for host i386-pc-linux-gnu, built on Apr 13 2007 at 10:11:51 I'm using dynamic variables like {sql:sql statement} throughout my configuration to fetch data from the DB. For example acct_users: DEFAULT Acct-Status-Type == Start session_count := %{sql:select count(*) from radacct where username='%{SQL-User-Name}' or radgroupcheck table: ++---+---++-+ | id | GroupName | Attribute | op | Value | ++---+---++-+ | 44 | config| session_count | := | `%{sql:select count(*) from radacct where username='%{SQL-User-Name}'}` | | 47 | config| product_code | := | `%{sql:retun_some_string}` | ++---+---++-+ or even in sqlcounter: sqlcounter noresetcounterflat { counter-name = Max-All-Session-Time-Flat check-name = Max-All-Session-Flat sqlmod-inst = sql key = User-Name reset = never query = SELECT UNIX_TIMESTAMP()-UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE username='%{%k}' ORDER BY radacctid limit 1 } Unfortunately I'm getting the output stripped by last character(byte): instead of getting 37 for session_count I get 3, instead of getting 1563 for noresetcounterflat I get 156, instead of getting S3H for product_code I get S3. When the query returns 1 character I get empty output. BEGIN DEBUG radius_xlat: Running registered xlat function of module sql for string 'select count(*) from radacct where username='%{SQL-User-Name}'' rlm_sql (sql): - sql_xlat radius_xlat: 'fkafvt' rlm_sql (sql): sql_set_user escaped user -- 'fkafvt' radius_xlat: 'select count(*) from radacct where username='fkafvt'' rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): - sql_xlat finished rlm_sql (sql): Released sql socket id: 2 radius_xlat: '3' END DEBUG DB query clearly shows: mysql select count(*) from radacct where username = 'fkafvt'; +--+ | count(*) | +--+ | 37 | +--+ 1 row in set (0.00 sec) This behaviour is the same no matter in which part of config the dynamic string appears(radgroupcheck, acct_users, sqlcounter configuration). My workaround for this was to output some additional dummy character from within mysql by surrounding the queries by mysql concat function: %{sql:select concat((select count(*) from radacct where %username='%{SQL-User-Name}'),'\n')} ie: %{sql: select concat((your query), '\n')} I hope this could help someone until the code is fixed... Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault for SNMP query
Hi Kevin, On Thu, Apr 12, 2007 at 06:19:14PM -0400, Kevin Bonner wrote: Try http://bugs.freeradius.org/show_bug.cgi?id=150 I doubt that patch will still apply cleanly due to the many recent changes. I'll see if I can test the CVS head later today and submit a newer patch. It surprises me that it still applies cleanly (just offset) with the current CVS head. Feel free to test the patch and report results in the bug or on the list. It would be nice to see the bug squashed, but it's become a default patch for my local freeradius build so I haven't been bothered with the issue in a long time. Kevin Bonner == I've applied the patch on cvs head. Here are the test results: 1) situation after start of freeradius(syslog output attached as well) freeradius -X ... Listening on SNMP SMUX with OID .1.3.6.1.4.1.3317.1.3.1 Ready to process requests. Nothing to do. Sleeping until we see a request. SMUX read start SMUX read len: 12 SMUX message received type: 67 rest len: 4 SMUX_RRSP SMUX_RRSP value: 0 errstat: 0 Nothing to do. Sleeping until we see a request. tail -f /var/log/syslog ucd-snmp[5234]: [smux_accept] accepted fd 3 from 127.0.0.1:39371 ucd-snmp[5234]: accepted smux peer: oid enterprises.3317.1.3.1, password verysecret, descr radiusd Then freeradius accepts and processes the snmp queries correctly until the reload(either via HUP or snmp-write). == you can see the snmp client connections in syslog: ucd-snmp[5234]: Connection from 127.0.0.1 for each request. Unfortunately when the reload is performed the situation is following: * syslog shows re-initilization of snmp upon reload: tail -f /var/log/syslog ucd-snmp[5234]: peer disconnected: enterprises.3317.1.3.1 ucd-snmp[5234]: [smux_accept] accepted fd 3from 127.0.0.1:39374 ucd-snmp[5234]: accepted smux peer: oid enterprises.3317.1.3.1, password verysecret, descr radiusd * but when trying to snmpwalk freeradius does not response to query at all and the snmp client times out: `snmpwalk -Cc -v 1 -m /devel/freeradius/cvs/radiusd/mibs/RADIUS-AUTH-SERVER-MIB.txt -c verysecret localhost radiusAuthServUpTime.0` Timeout: No Response from localhost and the attempt is seen in syslog: ucd-snmp[5234]: Connection from 127.0.0.1 To sum up: the patch applies to 2.0 but it does not work as expected:-( If you have some ideas, then please advise. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
access-accept with exception
Hello, My freeradius verify the login, password and all other attributes. My question is : Is it possible to access-accept all authentication that come with the attribute called-station-id= and how to do this exception Thanks in advance for your reply. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SNMP with 1.1.6 and Net-SNMP 5.3
Hi, trying for the first time to get SNMP working, and I have come to a point where I'm really startled why stuff doesn't work. I've configured FreeRADIUS 1.1.6 with SNMP, and it's printing out that it is starting up the SMUX connection. Then the snmpd refuses the SMUX connection. This would usually mean I screwed up the shared secret, but I'm very sure I haven't. I even verified with tcpdump that FR sends the correct secret on the loopback wire. So the problem would appear to be that Net-SNMP is confused wrt the secret. But I configured it with the line smuxpeer .1.3.6.1.4.1.3317.1.3.1 verysecret (also without the leading dot, in my desperation, didn't help). The password *is* verysecret on the FR side. Debug output says: ... Module: Instantiated detail (nas_reply_log) main: smux_password = verysecret main: snmp_write_access = no SMUX connect try 1 SMUX open oid: 1.3.6.1.4.1.3317.1.3.1 SMUX open progname: radiusd SMUX open password: verysecret SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1 SMUX register priority: -1 SMUX register operation: 1 SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1 SMUX register priority: -1 SMUX register operation: 1 SMUX register message send failed: Broken pipe Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. The broken pipe is because Net-SNMP closes the connection, it's log says: [smux_accept] accepted fd 9 from 127.0.0.1:4580 refused smux peer: oid SNMPv2-SMI::enterprises.3317.1.3.1, descr radiusd and tcpdump reveals that the reason for refusing is authenticationFailure. Anyone else running a similar config? It's the version of Net-SNMP that came as RPM on SUSE 10.1. FR compiled freshly. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgp1J8vSgotq0.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating new EAP demo certs for freeradius
I downloaded the latest FR, compiled but didnt install then used the script to generate the needed certs, worked fine. On 4/13/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi I have just install the package of freeradius using yum which is available for fedora 6. However, I found that the demo cert in the server for EAP is expired and can't be installed on my client. I'm trying to generate a new cert by using the script cert.sh. However, it seems that the package does not come with such a script. Am I able to download this from somewhere so that I can generate new sets of certifcates? Rgds Andrea - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
glibc double free or corruption still happening
Hi, I've installed FreeRadius 1.1.6 to my Debian Etch box, trying to solve the 'glibc double free or corruption', but the error is still happening. To make sure that no old library was causing the problem, I searched for any file and folder which could be from the old freeradius (using locate *radiu* and updatedb, it until no file was to be found). Then I recompiled everything and reinstalled. The problem persisted. Could I have missed some library with the locate I used? Is there a better way to uninstall everything for the upgrade? Any other Ideas? Thank you, Roberto Greiner PS: The Radius -X output: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 0 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib *** glibc detected *** double free or corruption (fasttop): 0x800fbcc8 *** Aborted -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: glibc double free or corruption still happening
Roberto Greiner wrote: I've installed FreeRadius 1.1.6 to my Debian Etch box, trying to solve the 'glibc double free or corruption', but the error is still happening. To make sure that no old library was causing the problem, I searched for any file and folder which could be from the old freeradius (using locate *radiu* and updatedb, it until no file was to be found). Then I recompiled everything and reinstalled. The problem persisted. Could I have missed some library with the locate I used? Is there a better way to uninstall everything for the upgrade? Any other Ideas? http://wiki.freeradius.org/Build#Building_Debian_packages -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: glibc double free or corruption still happening
Roberto Greiner wrote: I've installed FreeRadius 1.1.6 to my Debian Etch box, trying to solve the 'glibc double free or corruption', but the error is still happening. I'de love to know where it's coming from. I ran it on my system, and under valgrind, and say nothing. To make sure that no old library was causing the problem, I searched for any file and folder which could be from the old freeradius (using locate *radiu* and updatedb, it until no file was to be found). Then I recompiled everything and reinstalled. The problem persisted. Could I have missed some library with the locate I used? Is there a better way to uninstall everything for the upgrade? Any other Ideas? $ valgrind --tool=memcheck --leak-check=full radiusd -X It might get you more information. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP with 1.1.6 and Net-SNMP 5.3
On Friday 13 April 2007 08:53:26 Stefan Winter wrote: Hi, trying for the first time to get SNMP working, and I have come to a point where I'm really startled why stuff doesn't work. I've configured FreeRADIUS 1.1.6 with SNMP, and it's printing out that it is starting up the SMUX connection. Then the snmpd refuses the SMUX connection. This would usually mean I screwed up the shared secret, but I'm very sure I haven't. I even verified with tcpdump that FR sends the correct secret on the loopback wire. So the problem would appear to be that Net-SNMP is confused wrt the secret. But I configured it with the line smuxpeer .1.3.6.1.4.1.3317.1.3.1 verysecret (also without the leading dot, in my desperation, didn't help). The password *is* verysecret on the FR side. Debug output says: ... Module: Instantiated detail (nas_reply_log) main: smux_password = verysecret main: snmp_write_access = no SMUX connect try 1 SMUX open oid: 1.3.6.1.4.1.3317.1.3.1 SMUX open progname: radiusd SMUX open password: verysecret SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1 SMUX register priority: -1 SMUX register operation: 1 SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1 SMUX register priority: -1 SMUX register operation: 1 SMUX register message send failed: Broken pipe Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. The broken pipe is because Net-SNMP closes the connection, it's log says: [smux_accept] accepted fd 9 from 127.0.0.1:4580 refused smux peer: oid SNMPv2-SMI::enterprises.3317.1.3.1, descr radiusd and tcpdump reveals that the reason for refusing is authenticationFailure. Anyone else running a similar config? It's the version of Net-SNMP that came as RPM on SUSE 10.1. FR compiled freshly. Greetings, Stefan Winter I receive the same broken pipe error when the smuxpeer pass and smux_password aren't the same, though there is probably a more complex cause. Are there any non-standard characters in either config file? Is Net-SNMP configured with ucd-snmp compatibility? Kevin Bonner pgpu99VoRvAtE.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
online users
i want to know how many user logged in mysql database/radius but it only show the number of user in my databse for example is says 61 logged out and 0 login so here is the problem //login users from// $login_users = ; what i have to write here ? which table i have to query? how i can fix that ? if i change the number from 0 to 1 it show me one user online so their must be a way to fix it? heres the code : ?php include (include/Artichow/class/jpgraph.php); include (include/Artichow/class/jpgraph_pie.php); include (include/Artichow/class/jpgraph_pie3d.php); include_once (class/Oreon.class.php); include_once (phpradmin.conf.php); $oreon_db = new OreonDatabase($conf_pra[host], $conf_pra[user], $conf_pra[password], $conf_pra[db]); $table = userinfo; //este si es valido $total_users_in_db = $oreon_db -getTotalRowsInTable($table); //$total_users_in_db = 500; //login users from DB (SELECT COUNT(*) FROM radacct??;) $login_users = ; //logoff users total_users_in_db - login_users $logoff_users = ($total_users_in_db - $login_users); //percent $percent_login = ($login_users * 100 / $total_users_in_db); $percent_logoff = ( 100 - $percent_login ); $data = array($percent_login,$percent_logoff); //$data = array(12,88); $graph = new PieGraph(350,170,auto); $graph-SetShadow(); //$graph-title-Set( $lang['pra_total_users_in_db']: $total_users_in_db); $graph-title-Set(Total users in Data Base: $total_users_in_db); $graph-title-SetFont(FF_FONT1,FS_BOLD); $p1 = new PiePlot3D($data); $p1-ExplodeSlice( 1); $p1-SetLabelType( PIE_VALUE_ABS); $p1-SetSize(0.40); $p1-SetCenter(0.33); $p1-SetSliceColors(array('green','blue')); $p1-setLegends(array( LogIN Users: $login_users, LogOUT Users: $logoff_users, )); $graph-Add($p1); $graph-Stroke(); ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: glibc double free or corruption still happening
have u tried this which was suggested by Nicolas Baradakis [EMAIL PROTECTED] You could try to use the libltdl from Fedora instead of the one from the FreeRADIUS sources. $ ./configure --with-system-libtool On 4/13/07, Alan DeKok [EMAIL PROTECTED] wrote: Roberto Greiner wrote: I've installed FreeRadius 1.1.6 to my Debian Etch box, trying to solve the 'glibc double free or corruption', but the error is still happening. I'de love to know where it's coming from. I ran it on my system, and under valgrind, and say nothing. To make sure that no old library was causing the problem, I searched for any file and folder which could be from the old freeradius (using locate *radiu* and updatedb, it until no file was to be found). Then I recompiled everything and reinstalled. The problem persisted. Could I have missed some library with the locate I used? Is there a better way to uninstall everything for the upgrade? Any other Ideas? $ valgrind --tool=memcheck --leak-check=full radiusd -X It might get you more information. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assigning vlan based on NAS and LDAP field?
Message du 13/04/07 à 11h43 De : Kostas Kalevras A : [EMAIL PROTECTED], FreeRadius users mailing list Copie à : Objet : Re: assigning vlan based on NAS and LDAP field? O/H Matt Ashfield έγραψε: HI all, We're using FR authenticating against LDAP to implement our wireless solution. Basically, we are looking at the LDAP field of record type and determining if it is a staff or a student, and assigning a vlan based on that. Pretty simple and it works. However, there are two issues with this: 1. We have a sister campus, on a different network, but who are sharing the same FR and LDAP servers for authentication. Obviously their NAS's are different than ours because we're in different physical locations and networks. With our current configuration, it looks like we have to define the exact same vlans id's and the same vlan eligibility rules (ie staff get vlan x and student get vlan y) in order for this to work. I guess I'm hoping there is a way to assign different vlans based on the NAS ip address in addition to the student/staff distinction. You can use multiple ldap module instances and set Autz-Type depending on the nas ip address (or better yet huntgroups) 2. This follows into our future wired side implementation of 802.1x. In this case, we don't want our staff/student wired users to be assigned to the same vlans as they would be if they were on wireless. Rather we'd prefer to break them up based on their NAS or something like that. Anyways, I realize this is quite an odd situation, but probably quite similar to what many EDU people are encountering. Any help/advice is greatly appreaciated. you have to find an attribute in the radius nas request that will différenciate a wifi connection and a wired 802.1x connection: for me it is NAS-Port-Type = Wireless-802.11 for wifi and NAS-Port-Type = ethernet for wired 802.1x depending on this you send a vlan or an other in the radius response. but you still can do it depending on the nas IP Thomas Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: glibc double free or corruption still happening
Nicolas Baradakis wrote: Roberto Greiner wrote: I've installed FreeRadius 1.1.6 to my Debian Etch box, trying to solve the 'glibc double free or corruption', but the error is still happening. To make sure that no old library was causing the problem, I searched for any file and folder which could be from the old freeradius (using locate *radiu* and updatedb, it until no file was to be found). Then I recompiled everything and reinstalled. The problem persisted. Could I have missed some library with the locate I used? Is there a better way to uninstall everything for the upgrade? Any other Ideas? http://wiki.freeradius.org/Build#Building_Debian_packages That did the trick. Everything is working well. But before putting it into production I will try again the previous building and see if I can get the data Alan requested with valgrind. Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: glibc double free or corruption still happening
Roberto Greiner wrote: Nicolas Baradakis wrote: Roberto Greiner wrote: I've installed FreeRadius 1.1.6 to my Debian Etch box, trying to solve the 'glibc double free or corruption', but the error is still happening. To make sure that no old library was causing the problem, I searched for any file and folder which could be from the old freeradius (using locate *radiu* and updatedb, it until no file was to be found). Then I recompiled everything and reinstalled. The problem persisted. Could I have missed some library with the locate I used? Is there a better way to uninstall everything for the upgrade? Any other Ideas? http://wiki.freeradius.org/Build#Building_Debian_packages That did the trick. Everything is working well. But before putting it into production I will try again the previous building and see if I can get the data Alan requested with valgrind. Roberto Er, it worked now. The build using the instructions from the wiki must have modified some library or something alike. compiling and installing from source is not giving the double free error anymore :-( Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: online users
SELECT COUNT(*) FROM radacct WHERE AcctStopTime=0 That will give you the number of currently logged in users (according to the database). Ivan Kalik Kalik Informatika ISP Dana 13/4/2007, Mordor Networks [EMAIL PROTECTED] piše: i want to know how many user logged in mysql database/radius but it only show the number of user in my databse for example is says 61 logged out and 0 login so here is the problem //login users from// $login_users = ; what i have to write here ? which table i have to query? how i can fix that ? if i change the number from 0 to 1 it show me one user online so their must be a way to fix it? heres the code : ?php include (include/Artichow/class/jpgraph.php); include (include/Artichow/class/jpgraph_pie.php); include (include/Artichow/class/jpgraph_pie3d.php); include_once (class/Oreon.class.php); include_once (phpradmin.conf.php); $oreon_db = new OreonDatabase($conf_pra[host], $conf_pra[user], $conf_pra[password], $conf_pra[db]); $table = userinfo; //este si es valido $total_users_in_db = $oreon_db -getTotalRowsInTable($table); //$total_users_in_db = 500; //login users from DB (SELECT COUNT(*) FROM radacct??;) $login_users = ; //logoff users total_users_in_db - login_users $logoff_users = ($total_users_in_db - $login_users); //percent $percent_login = ($login_users * 100 / $total_users_in_db); $percent_logoff = ( 100 - $percent_login ); $data = array($percent_login,$percent_logoff); //$data = array(12,88); $graph = new PieGraph(350,170,auto); $graph-SetShadow(); //$graph-title-Set( $lang['pra_total_users_in_db']: $total_users_in_db); $graph-title-Set(Total users in Data Base: $total_users_in_db); $graph-title-SetFont(FF_FONT1,FS_BOLD); $p1 = new PiePlot3D($data); $p1-ExplodeSlice( 1); $p1-SetLabelType( PIE_VALUE_ABS); $p1-SetSize(0.40); $p1-SetCenter(0.33); $p1-SetSliceColors(array('green','blue')); $p1-setLegends(array( LogIN Users: $login_users, LogOUT Users: $logoff_users, )); $graph-Add($p1); $graph-Stroke(); ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: online users
Be careful with\ just SQL Count (*) Some times NASes terminate local session without radius session termination (ex: nas was powered off) in this case you may have some users who technically logged in but that is not true! To avoid that you can select all users in the interwal between Current time and CurentTime-X (where X is your Idle logout time) This one still not 100% accurate but it will trim off all old garbage. -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 13, 2007 2:28 PM To: FreeRadius users mailing list Subject: Re: online users SELECT COUNT(*) FROM radacct WHERE AcctStopTime=0 That will give you the number of currently logged in users (according to the database). Ivan Kalik Kalik Informatika ISP Dana 13/4/2007, Mordor Networks [EMAIL PROTECTED] piše: i want to know how many user logged in mysql database/radius but it only show the number of user in my databse for example is says 61 logged out and 0 login so here is the problem //login users from// $login_users = ; what i have to write here ? which table i have to query? how i can fix that ? if i change the number from 0 to 1 it show me one user online so their must be a way to fix it? heres the code : ?php include (include/Artichow/class/jpgraph.php); include (include/Artichow/class/jpgraph_pie.php); include (include/Artichow/class/jpgraph_pie3d.php); include_once (class/Oreon.class.php); include_once (phpradmin.conf.php); $oreon_db = new OreonDatabase($conf_pra[host], $conf_pra[user], $conf_pra[password], $conf_pra[db]); $table = userinfo; //este si es valido $total_users_in_db = $oreon_db -getTotalRowsInTable($table); //$total_users_in_db = 500; //login users from DB (SELECT COUNT(*) FROM radacct??;) $login_users = ; //logoff users total_users_in_db - login_users $logoff_users = ($total_users_in_db - $login_users); //percent $percent_login = ($login_users * 100 / $total_users_in_db); $percent_logoff = ( 100 - $percent_login ); $data = array($percent_login,$percent_logoff); //$data = array(12,88); $graph = new PieGraph(350,170,auto); $graph-SetShadow(); //$graph-title-Set( $lang['pra_total_users_in_db']: $total_users_in_db); $graph-title-Set(Total users in Data Base: $total_users_in_db); $graph-title-SetFont(FF_FONT1,FS_BOLD); $p1 = new PiePlot3D($data); $p1-ExplodeSlice( 1); $p1-SetLabelType( PIE_VALUE_ABS); $p1-SetSize(0.40); $p1-SetCenter(0.33); $p1-SetSliceColors(array('green','blue')); $p1-setLegends(array( LogIN Users: $login_users, LogOUT Users: $logoff_users, )); $graph-Add($p1); $graph-Stroke(); ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: online users
hi ivan thank you for your reply it tried this : $requet = SELECT COUNT(*) FROM radcheck WHERE AcctStopTime=0; $login_users = $requet and $login_users = SELECT COUNT(*) FROM radcheck WHERE AcctStopTime=0; still 0 , what im doing wrong? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: online users
You need to be querying to radacct table - that is where you would find information on sessions. radcheck is generally only the static data regarding the users on your system. regards Graham Beneke Mordor Networks wrote: hi ivan thank you for your reply it tried this : $requet = SELECT COUNT(*) FROM radcheck WHERE AcctStopTime=0; $login_users = $requet and $login_users = SELECT COUNT(*) FROM radcheck WHERE AcctStopTime=0; still 0 , what im doing wrong? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: online users
hi Graham yes sir i know but my question is how to do that im all new to all this.. thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WEP only client
I have a client whose wifi adaptor (Linksys WUSB11) can only do wep key encryption and I was wondering whether it would be possible to use eap-tls or something similar given the restrictions. What is the most secure system that can be used with this type of adaptor? -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WEP only client
Ian Truelsen wrote: I have a client whose wifi adaptor (Linksys WUSB11) can only do wep key encryption and I was wondering whether it would be possible to use eap-tls or something similar given the restrictions. What is the most secure system that can be used with this type of adaptor? What about to create WEP channel and force this user to authenticate into a VPN tunnel after connecting? In fact, you can even have a network completely free and unsecured and force all connctions to use VPN. Clients can have SW VPN client (ie the CISCO sw one) and AP will be connected to VPN gateway only. stepan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: Bug in stripping output of dynamic strings {sql:...}
Milan Holub wrote: Unfortunately I'm getting the output stripped by last character(byte): instead of getting 37 for session_count I get 3, instead of getting 1563 for noresetcounterflat I get 156, instead of getting S3H for product_code I get S3. When the query returns 1 character I get empty output. Ah. That looks like an issue with strlcpy. Try a cvs update, I've fixed a line in sql_xlat. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html