RE: RE : FreeRadius + Freetds + unixodbc
so by starting radiusd -X i have this error:rlm_sql (sql): Driver rlm_sql_unixodbc (module rlm_sql_unixodbc) loaded and linkedrlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radiusrlm_sql (sql): starting 0rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #0rlm_sql_unixodbc: SQL down 08S01 [unixODBC][FreeTDS][SQL Server]Server is unavailable or does not exist. rlm_sql_unixodbc: Connection failed rlm_sql (sql): Failed to connect DB handle #0rlm_sql (sql): starting 1rlm_sql (sql): starting 2rlm_sql (sql): starting 3rlm_sql (sql): starting 4rlm_sql (sql): Failed to connect to any SQL server As you can figure out you have an connection error to your MS SQL DB. It is not a specificaly radius problem, it is only a misconfiurate db connection. First of all, try to connect with the db with the isql progam. Previously there is an aricle in this list about this: http://lists.cistron.nl/pipermail/freeradius-users/2005-October/047463.html Busca a la vez en Internet, en directorios, en enciclopedias... Atrévete con el nuevo MSN Search - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to force the group processing?
Hi, How can I force the group processing after the positive authentication with the radcheck table. I want to achieve the following: after I authenticate the user I would like to add a reply attribute if the user belongs to the particular group. Thank you in advance. Tomasz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to force the group processing?
Hi Tomasz, On Wed, Apr 18, 2007 at 10:07:41AM +0200, tzieleniewski wrote: Hi, How can I force the group processing after the positive authentication with the radcheck table. I want to achieve the following: after I authenticate the user I would like to add a reply attribute if the user belongs to the particular group. == you need to enable read_groups parameter in your sql.conf and apply a patch to rlm_sql.c Check the patch on http://archives.free.net.ph/message/20070412.093816.5a45acf0.en.html and also related thread(contains also link to wiki): http://archives.free.net.ph/message/20070412.100026.8b3bc4a9.en.html Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + openldap + WPA, auth fails
matthew zeier wrote: Can you post the errors? I haven't used 1.0.1 in *years*, so I have no idea what may or may not work when upgrading from 1.0.1 to 1.1.6. Should have mentioned that that's what RHEL4 ships. I've seen that with other projects, too. RedHat has a tendency to include versions of software that are *years* out of date. I have no idea why they do this. It's one thing to support older versions. I understand the reasons for that. But I don't understand forcing *new* customers to use software that is almost 3 years out of date. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius 2.0.0-pre Making all in main compilation error
Hi, I have just downloaded the CVS trunk sources. When I compile them I get the following errors: Please point me what do I miss. Making all in main... make[4]: Entering the directory `/home/radius/src/radiusd/src/main' /home/radius/src/radiusd/libtool --mode=link gcc -export-dynamic -dlopen self \ -pie -o radiusd acct.lo auth.lo client.lo conffile.lo crypt.lo exec.lo files.lo listen.lo log.lo mainconfig.lo modules.lo modcall.lo radiusd.lo radius_snmp.lo session.lo smux.lo threads.lo util.lo valuepair.lo version.lo xlat.lo event.lo realms.lo \ ../lib/libradius.la -lnsl -lresolv -lpthread -lsnmp \ -lcrypt -lltdl -lcrypto -lssl -lcrypto rm -f .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT creating .libs/radiusdS.c (cd .libs gcc -g -O2 -c -fno-builtin radiusdS.c) rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT gcc .libs/radiusdS.o -pie -o .libs/radiusd .libs/acct.o .libs/auth.o .libs/client.o .libs/conffile.o .libs/crypt.o .libs/exec.o .libs/files.o .libs/listen.o .libs/log.o .libs/mainconfig.o .libs/modules.o .libs/modcall.o .libs/radiusd.o .libs/radius_snmp.o .libs/session.o .libs/smux.o .libs/threads.o .libs/util.o .libs/valuepair.o .libs/version.o .libs/xlat.o .libs/event.o .libs/realms.o -Wl,--export-dynamic ../lib/.libs/libradius.so -lnsl -lresolv -lpthread /usr/lib/libsnmp.so -lcrypt /usr/lib/libltdl.so -ldl -lssl -lcrypto -Wl,--rpath -Wl,/home/radius/freeradius/lib collect2: ld returned 1 exit status make[4]: *** [radiusd] Błąd 1 make[4]: Leaving the directory `/home/radius/src/radiusd/src/main' make[3]: *** [common] Błąd 2 make[3]: Leaving the directory `/home/radius/src/radiusd/src' make[2]: *** [all] Błąd 2 make[2]: Leaving the directory `/home/radius/src/radiusd/src' make[1]: *** [common] Błąd 2 make[1]: Leaving the directory `/home/radius/src/radiusd' make: *** [all] Błąd 2 Thanks in advance Cheers Tomasz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius 2.0.0-pre Making all in main compilation error
tzieleniewski wrote: I have just downloaded the CVS trunk sources. When I compile them I get the following errors: Please point me what do I miss. I'm in the middle of re-writing portions of the code. It may not build from time to time. ... collect2: ld returned 1 exit status And there's no other information about what's missing, which makes it difficult to solve the problem. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: readclients segmentation fault
Hi Alan, On Tue, Apr 17, 2007 at 03:54:25PM +0200, Milan Holub wrote: Hi Alan, On Tue, Apr 17, 2007 at 11:45:28AM +0200, Alan DeKok wrote: *Please* run the server under valgrind to find the source of these problems. == finally I managed to compile valgrind and can give you thus its output... I did fresh cvs checkout and then created a debian package on woody(export LDFLAGS='-lz'; dpkg-buildpackage -b -uc -d). Point 2) I've also compiledtested on debian testing with the same result. After cvs commits from this morning I'm getting segmentation faults in following cases: 1) snmpwalk (read-query) - when reading the NAS entries `/usr/local/bin/valgrind --tool=memcheck --leak-check=full freeradius -X /devel/freeradius/debug/fr_snmp_walk_1.txt` when running `snmpwalk -Cc -v 1 -m /devel/freeradius/cvs/radiusd/mibs/RADIUS-AUTH-SERVER-MIB.txt -c verysecret localhost radiusAuth` I get Segmentation fault:-( == full -X debug output + valgrind: http://pastebin.ca/444684 2) when receiving HUP signal == full -X debug output + valgrind: http://pastebin.ca/444717 3) snmpset (write-query) - similar to 2) == similar output as in 2) 4) on any incoming radius request (when the corresponding NAS is stored in mysql nas table) == full -X debug output + valgrind: http://pastebin.ca/444719 Am I doing something wrong? Nobody else experience similar behaviour? Please advise. PS: I like this http://pastebin.ca - it keeps the mailing lists clean... All segmentation faults were related to the same snmp issue - accessing num_tree structure. Here is a debug output for case 4) rad_recv: Access-Request packet from host NAS_IN_NAS_TABLE port 43052, id=161, length=46 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1024 (LWP 26896)] 0x080529ab in auth_socket_recv (listener=0x815aac0, pfun=0xbfffea1c, prequest=0xbfffea20) at listen.c:389 389 break; (gdb) (gdb) (gdb) bt #0 0x080529ab in auth_socket_recv (listener=0x815aac0, pfun=0xbfffea1c, prequest=0xbfffea20) at listen.c:389 #1 0x08059073 in main (argc=2, argv=0xbbb4) at radiusd.c:643 (gdb) print client $1 = (RADCLIENT *) 0x81ff5e8 (gdb) list 384 */ 385 switch(packet-code) { 386 case PW_AUTHENTICATION_REQUEST: 387 RAD_SNMP_CLIENT_INC(listener, client, requests); 388 fun = rad_authenticate; 389 break; 390 391 case PW_STATUS_SERVER: 392 if (!mainconfig.status_server) { 393 RAD_SNMP_TYPE_INC(listener, total_packets_dropped); (gdb) print client-auth $2 = (rad_snmp_client_entry_t *) 0x0 == as you can see the rad_snmp_client_entry type should contain some data but it does not. As I do not care much about detail snmp info about every NAS thus I've done following dummy changes in order to fix the segmentation faults: 1)+2)+3) do not insert clients into snmp structure... Index: ./src/main/client.c === RCS file: /source/radiusd/src/main/client.c,v retrieving revision 1.56 diff -u -r1.56 client.c --- ./src/main/client.c 17 Apr 2007 09:22:36 - 1.56 +++ ./src/main/client.c 18 Apr 2007 14:11:38 - @@ -207,7 +207,7 @@ return 0; } -#ifdef WITH_SNMP +#ifdef WITH_SNMPX if (!tree_num) { tree_num = rbtree_create(client_num_cmp, NULL, 0); } Index: ./src/main/event.c === RCS file: /source/radiusd/src/main/event.c,v retrieving revision 1.20 diff -u -r1.20 event.c --- ./src/main/event.c 18 Apr 2007 10:03:30 - 1.20 +++ ./src/main/event.c 18 Apr 2007 14:14:32 - @@ -111,24 +111,24 @@ case PW_AUTHENTICATION_ACK: rad_snmp.auth.total_responses++; rad_snmp.auth.total_access_accepts++; - if (client) client-auth-accepts++; + //if (client) client-auth-accepts++; break; case PW_AUTHENTICATION_REJECT: rad_snmp.auth.total_responses++; rad_snmp.auth.total_access_rejects++; - if (client) client-auth-rejects++; + //if (client) client-auth-rejects++; break; case PW_ACCESS_CHALLENGE: rad_snmp.auth.total_responses++; rad_snmp.auth.total_access_challenges++; - if (client) client-auth-challenges++; + //if (client) client-auth-challenges++; break; case PW_ACCOUNTING_RESPONSE: rad_snmp.acct.total_responses++; - if (client) client-auth-responses++; + //if (client) client-auth-responses++; break; /* @@ -138,7 +138,7 @@ case 0: if (request-packet-code == PW_AUTHENTICATION_REQUEST) {
Re: rlm_sql: readclients segmentation fault
Milan Holub wrote: ... (gdb) print client-auth $2 = (rad_snmp_client_entry_t *) 0x0 Ah. client_add() doesn't create the necessary structure. I've just fixed that. This works for me but I believe Alan will fix the issue cleanly ASAP:) g Anyway thanks Alan for your hard job on freeradius. Just wait. I'm trying to get major capabilities into 2.0, or maybe 2.1. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
active directory host authentication
Hi, Using freeradius 1.1.5 samba 3.0.24...i have an interesting problem, and was curious what methods other people would take to solve it. I am setting up radius for our new wpa2 wireless network, which means that windows machine auth should work so that people can LOGIN to their laptops. i have it working (with a slight hack). when a windows xp machine sends its machine auth to radius it sends host/machinename.activedirectorydomain.domain.domain. so freeradius takes the activedirectorydomain part of that and assumes that the domain's actual name (what you use for authentication) in our caseblame the windows people, that is NOT the case. example computer.ad.clarku.edu is the dns name...however that computer is actually joined to the CLARKU domain..so the authentication needs to be against the CLARKU domain as the AD domain doesn't exist. does that make sense? any ideas? the hack i have in place is a hardcoded domain of CLARKU in the NTLM_AUTH check(this can't stay as we have multiple domains). thanks in advance for any insight. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Technical support
Well, it's not the question of money, its more question of my time and finding 2-3 unused machines that I can use for the test then. -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Jacob Jarick Sent: Wednesday, April 18, 2007 12:21 AM To: FreeRadius users mailing list Subject: Re: Technical support step 1 for me is to get radius to auth against ADS via ldap (I got ntlm working fine). Unfortunately because this job is contracted by the govt it has to be done their specific way every step which means freeradius HAS TO auth against a 2003 ADS via LDAP. Unfortunately I cannot give out access to my work test pc's due to security restrictions out of my control (I could but then Id be in trouble). What would your asking price be for a working FR 1.1.6 config that can auth against 2003 ADS using LDAP. Regarding VLANS, I need users with a GID of students to be put onto vlan2 and users with GID staff to be put onto vlan3 On 4/18/07, Alex M [EMAIL PROTECTED] wrote: Well we are in New York. So the only way we can help you is to do SSH. Technically LDAP should work straight forward, unless your DC does not want to accept connections from remote PC and especially Linux. We don't use Widows in our company any more, but I can set up DC and see if my radius can access it and then just send you config file. As to VLANS, im not sure what u looking for, if you wanna do something like separation of Ethernet chanels for Ethernet service provider then it should be done by your NAS if that is supported. I would assume your NAS should be listening for some custom attribute to assign vlan tag to specific user group. -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Jacob Jarick Sent: Tuesday, April 17, 2007 10:52 PM To: FreeRadius users mailing list Subject: Re: Technical support I am In Western Australia Perth. Current having major issues with ldap authentication (done correctly as far as I can tell but I dont get replys from forums / mailing groups) and once that is sorted I need to figure out vlan assignment bassed on ou or group. On 4/18/07, Alex M [EMAIL PROTECTED] wrote: What's your location? -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Jacob Jarick Sent: Tuesday, April 17, 2007 10:25 PM To: FreeRadius users mailing list Subject: Technical support Hello, Im looking for a company that can provide professional level of technical support. If any one here can reccomend one I would appreciate it. I am after technical support, due to lack of good documentation on the freeradius project. Most the stuff I need done has only incomplete docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: active directory host authentication
Hi, xp machine sends its machine auth to radius it sends host/machinename.activedirectorydomain.domain.domain. so freeradius takes the activedirectorydomain part of that and assumes that the domain's actual name (what you use for authentication) in our caseblame the windows people, that is NOT the case. example computer.ad.clarku.edu is the dns name...however that computer is actually joined to the CLARKU domain..so the authentication needs to be against the CLARKU domain as the AD domain doesn't exist. does that make sense? any ideas? well, you can use regexp/attr_filter to look for these systems and then just chop off the activedirectorydomain.domain.domain. part thus allowing the AD REALM to be forced by yourselves. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: active directory host authentication
well, you can use regexp/attr_filter to look for these systems and then just chop off the activedirectorydomain.domain.domain. part thus allowing the AD REALM to be forced by yourselves. I tried something similar i used attr_rewrite to replace the bad parts of User-Name with the modified correct values, it, however because i am using eap-ttls, i got an eap error rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler can you point me to a doc where the attr_filter is explained better? from reading the comments/documentation i got the impression it was primarily used for proxying, and wouldn't work for other things... Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Accounting problem with 1.0.3 - The maximum number of threads (32) are active
On 4/17/07, Alan DeKok [EMAIL PROTECTED] wrote: Rick Macdougall wrote: Hi, We seem to be having the The maximum number of threads (32) are active with Freeradius 1.0.3. Version 1.0.1 works just fine. Upgrade to 1.1.6. It has a whole host of fixes. Hi, Upgraded to 1.1.6 and the problem persists. The maximum number of threads (32) are active, cannot spawn new thread to handle request rad_recv: Access-Request packet from host 206.123.6.28:1645, id=239, length=208 Discarding duplicate request from client aeiusr05:1645 - ID: 239 due to unfinished request 56 $ ./configure --with-gnu-ld --with-threads --with-thread-pool --disable-ltdl-install --with-rlm-sql_mysql-include-dir=/usr/include/mysql --with-mysql-lib-dir=/usr/lib/mysql --with-unixodbc-lib-dir=/usr/lib --with-rlm-dbm-lib-dir=/usr/lib --with-rlm-krb5-include-dir=/usr/kerberos/include --sysconfdir=/etc --prefix=/usr --exec_prefix=/usr --localstatedir=/var --sbindir=/usr/sbin Any other ideas ? Only seems to happen with accounting, no apparent problems with authentication. Regards, Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: active directory host authentication
Hi, I tried something similar i used attr_rewrite to replace the bad parts of User-Name with the modified correct values, it, however because i am using eap-ttls, i got an eap error rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler ah! you really cannot play with User-Name - as you have found, the client doesnt like that to be changed. what you want to do is copy User-Name to Stripped-User-Name and then play with Stripped-User-Name - and use that in the rest of the stages. attr_rewrite is the one you want to use - i've just been busy with some other things - attr_filter was a typo! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: active directory host authentication
ah! you really cannot play with User-Name - as you have found, the client doesnt like that to be changed. what you want to do is copy User-Name to Stripped-User-Name and then play with Stripped-User-Name - and use that in the rest of the stages. how do i copy User-Name to something else? what i ended up doing (it's not super pretty, but works) is using Hints and if prefix == host (as machines auth as host/blahblah) then i set a new attribute called domain and use that for the auth, and if i get a real domain as the prefix i just assign that as the attribute domain...not pretty but it works. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Accounting problem with 1.0.3 - The maximum number of threads (32) are active
On Wed 18 Apr 2007, Rick Macdougall wrote: On 4/17/07, Alan DeKok [EMAIL PROTECTED] wrote: Rick Macdougall wrote: Hi, We seem to be having the The maximum number of threads (32) are active with Freeradius 1.0.3. Version 1.0.1 works just fine. Upgrade to 1.1.6. It has a whole host of fixes. Hi, Upgraded to 1.1.6 and the problem persists. The maximum number of threads (32) are active, cannot spawn new thread to handle request rad_recv: Access-Request packet from host 206.123.6.28:1645, id=239, length=208 Discarding duplicate request from client aeiusr05:1645 - ID: 239 due to unfinished request 56 $ ./configure --with-gnu-ld --with-threads --with-thread-pool --disable-ltdl-install --with-rlm-sql_mysql-include-dir=/usr/include/mysql --with-mysql-lib-dir=/usr/lib/mysql --with-unixodbc-lib-dir=/usr/lib --with-rlm-dbm-lib-dir=/usr/lib --with-rlm-krb5-include-dir=/usr/kerberos/include --sysconfdir=/etc --prefix=/usr --exec_prefix=/usr --localstatedir=/var --sbindir=/usr/sbin Any other ideas ? Only seems to happen with accounting, no apparent problems with authentication. Yep. Your backend is too slow to keep up. Accounting is inserts and updates... Auth is selects.. BIG difference in speed... Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Accounting problem with 1.0.3 - The maximum number of threads (32) are active
Follow up. It is updating/inserting records into the mysql radacct database but it seems that an ACK is not sent back to the remote server and the thread is not released. A minute later the remote server tries again, etc etc until the threds max out at 32. Regards, Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Accounting problem with 1.0.3 - The maximum number of threads (32) are active
Yep. Your backend is too slow to keep up. Accounting is inserts and updates... Auth is selects.. BIG difference in speed... Not a speed issue, the mysql records are inserted within milliseconds of the detail file being written. Running radiusd -x shows the sql accounting happening almost instantly. And if it was a speed issue, it would affect the older version running on Fedora as well. Just fyi, we are talking about millions of records in the database by month's end, so if it was a slow backend nothing would work, ever. Regards, Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Grouping after Kerberos 5 authentication accepted?
Hello, Is it possible for FreeRadius to perform grouping after Kerberos authentication accepted? My company has many switches and servers and we use kerberos 5 for RADIUS authentication. Once the user is authenticated, RADIUS will check and decide if this user can access the switches or particular servers (i.e. Allow telnet to the switch if the user belongs to the 'switch administrator' group). I've looked in the huntgroup file but it seems to require a lot of works for a very large company (5000+ users), and the problem is we can't touch the Kerberos server. Any help would be appreciated. Thank you Regards, Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Crypt passwords doesn't work
Hi, I migrated a freeradius server from version 0.6 to 1.5. I'm using a users file for authorize. The server don't authorize and when a do a debug (radiusd -X) I saw the User-password in clear text. If I modify the User-password in the users file by the clear text one it works. Here are the debug and an entry of the users file: Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.12.4.2:1645, id=91, length=75 NAS-IP-Address = 10.12.4.2 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = sebas Calling-Station-Id = 10.11.1.25 User-Password = hello Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 users: Matched entry sebas at line 50 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Delaying request 0 for 1 seconds users file sebas Auth-Type := Local, Crypt-Password == (!lGOOlHaBWoQ Service-Type = Administrative-User, Cisco-AVPair = shell:priv-lvl=15 Thanks very much!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: active directory host authentication
Hi, how do i copy User-Name to something else? there are guides out there..and various snippets from mail archives but you can start by doing stuff like attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchfor = searchin = packet replacewith = %{User-Name} } attr_rewrite remove-domain { attribute = Stripped-User-Name searchfor = \.test\.domain\.com searchin = packet new_attribute = no replacewith = } attr_rewrite add-dollar-sign { attribute = Stripped-User-Name searchfor = ^(host/.*) searchin = packet new_attribute = no replacewith = %{1}$ } then you can add copy.user-name remove-domain add-dollar-sign to the authorize section alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crypt passwords doesn't work
Sebastian Firpo wrote: sebas Auth-Type := Local, Crypt-Password == (!lGOOlHaBWoQ Remove the Auth-Type := Local. Let FR decide on what the auth type is. It knows better than you. ;) If you search the list archives, this comes up about once a week. Don't set Auth-Type unless you really know what you are doing. Also, I think you want := instead of ==. There is no Crypt-Password attribute in the request, so you can't compare them. Use := to set Crypt-Password and then let FR do its magic. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crypt passwords doesn't work
On Wednesday 18 April 2007 16:39:27 Sebastian Firpo wrote: Hi, I migrated a freeradius server from version 0.6 to 1.5. I'm using a users file for authorize. Wow, that's quite a leap. I assume from 0.6 to 1.1.5? The server don't authorize and when a do a debug (radiusd -X) I saw the User-password in clear text. If I modify the User-password in the users file by the clear text one it works. Here are the debug and an entry of the users file: Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.12.4.2:1645, id=91, length=75 NAS-IP-Address = 10.12.4.2 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = sebas Calling-Station-Id = 10.11.1.25 User-Password = hello Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 users: Matched entry sebas at line 50 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Delaying request 0 for 1 seconds users file sebas Auth-Type := Local, Crypt-Password == (!lGOOlHaBWoQ Service-Type = Administrative-User, Cisco-AVPair = shell:priv-lvl=15 Thanks very much!! Don't set Auth-Type, the server will figure it out. The operator for Crypt-Password should be changed to := as well. Kevin Bonner pgpsPajLfZa7I.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crypt passwords doesn't work
Thank you Kevin, but it didn't work now my entire users file is: sebas Crypt-Password := "(!lGOOlHaBWoQ" Service-Type = Administrative-User, Cisco-AVPair = "shell:priv-lvl=15" and then the debug was: rad_recv: Access-Request packet from host 10.12.4.2:1645, id=103, length=75 NAS-IP-Address = 10.12.4.2 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "sebas" Calling-Station-Id = "10.11.1.25" User-Password = "hello" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 users: Matched entry sebas at line 1 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: type Crypt auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 103 to 10.12.4.2 port 1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 103 with timestamp 4626942f Nothing to do. Sleeping until we see a request. Another idea?? Thanks a lot, any way. Kevin Bonner wrote: On Wednesday 18 April 2007 16:39:27 Sebastian Firpo wrote: Hi, I migrated a freeradius server from version 0.6 to 1.5. I'm using a users file for authorize. Wow, that's quite a leap. I assume from 0.6 to 1.1.5? The server don't authorize and when a do a debug (radiusd -X) I saw the User-password in clear text. If I modify the User-password in the users file by the clear text one it works. Here are the debug and an entry of the users file: Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.12.4.2:1645, id=91, length=75 NAS-IP-Address = 10.12.4.2 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "sebas" Calling-Station-Id = "10.11.1.25" User-Password = "hello" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 users: Matched entry sebas at line 50 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Delaying request 0 for 1 seconds users file sebas Auth-Type := Local, Crypt-Password == "(!lGOOlHaBWoQ" Service-Type = Administrative-User, Cisco-AVPair = "shell:priv-lvl=15" Thanks very much!! Don't set Auth-Type, the server will figure it out. The operator for Crypt-Password should be changed to := as well. Kevin Bonner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crypt passwords doesn't work
Thank you Dennis, but it didn't work now my entire users file is: sebas Crypt-Password := "(!lGOOlHaBWoQ" Service-Type = Administrative-User, Cisco-AVPair = "shell:priv-lvl=15" and then the debug was: rad_recv: Access-Request packet from host 10.12.4.2:1645, id=103, length=75 NAS-IP-Address = 10.12.4.2 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "sebas" Calling-Station-Id = "10.11.1.25" User-Password = "hello" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 users: Matched entry sebas at line 1 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: type Crypt auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 103 to 10.12.4.2 port 1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 103 with timestamp 4626942f Nothing to do. Sleeping until we see a request. Another idea?? Thanks a lot, any way. Dennis Skinner wrote: Sebastian Firpo wrote: sebas Auth-Type := Local, Crypt-Password == "(!lGOOlHaBWoQ" Remove the Auth-Type := Local. Let FR decide on what the auth type is. It knows better than you. ;) If you search the list archives, this comes up about once a week. Don't set Auth-Type unless you really know what you are doing. Also, I think you want := instead of ==. There is no Crypt-Password attribute in the request, so you can't compare them. Use := to set Crypt-Password and then let FR do its magic. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crypt passwords doesn't work
html I almost ignored your message, as I don't parse HTML well. =) On Wednesday 18 April 2007 18:06:28 Sebastian Firpo wrote: Thank you Kevin, but it didn't work now my entire users file is: sebas Crypt-Password := (!lGOOlHaBWoQ Service-Type = Administrative-User, Cisco-AVPair = shell:priv-lvl=15 and then the debug was: rad_recv: Access-Request packet from host 10.12.4.2:1645, id=103, length=75 NAS-IP-Address = 10.12.4.2 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = sebas Calling-Station-Id = 10.11.1.25 User-Password = hello Another idea?? Thanks a lot, any way. $ perl -e 'print crypt(hello,(!) . \n;' (!BVoPlmea8cg Fix your Crypt-Password? How you are generating that encrypted string? -Kevin pgp07VlZL3nEM.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto compile 1.1.6 on Fedora 6
I just tried building 1.1.6 as an rpm on suse, it fails with this error. [EMAIL PROTECTED] src]# rpmbuild -ba /usr/src/packages/SPECS/freeradius.spec error: File /usr/src/redhat/SOURCES/freeradius-1.1.5.tar.gz: No such file or directory This is corrected instructions Notes: * The wiki glosses over a little and gives u an incorrect dir * the spec file expects 1.1.5 tar.gz # cd /usr/src # tar zxvf /root/Desktop/freeradius-1.1.6.tar.gz # cp /root/Desktop/freeradius-1.1.6.tar.gz /usr/src/redhat/SOURCES/freeradius-1.1.5.tar.gz # cp freeradius-1.1.6/suse/freeradius.spec /usr/src/redhat/SPECS/ # rpmbuild -ba /usr/src/redhat/SPECS/freeradius.spec On 4/16/07, Nicolas Baradakis [EMAIL PROTECTED] wrote: You were not told to pick up a random RPM on the net. The wiki explains how to build yourself a RPM from sources. The resulting package should run without problem on the host where it was compiled. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fedora 1.1.6 rpm build BROKEN
The deps have incorrect names, ie requests apache2-devel but fedora calls it httpd2-devel and so on. So atm, rpm building completely broken, any comments / suggestions are welcome. I will be going back to compiling from source until the bins are resolved. I suppose I could use some random rpm for 1.1.6 or compile the source but for now I will go back to using 1.1.3 that is provided with fedora (it installs without dep errors). -- Forwarded message -- From: Jacob Jarick [EMAIL PROTECTED] Date: Apr 19, 2007 10:18 AM Subject: 1.1.6 rpm build errors To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Notes: * The wiki glosses over a little and gives u an incorrect dir * the spec file expects 1.1.5 tar.gz # cd /usr/src # tar zxvf /root/Desktop/freeradius-1.1.6.tar.gz # cp /root/Desktop/freeradius-1.1.6.tar.gz /usr/src/redhat/SOURCES/freeradius-1.1.5.tar.gz # cp freeradius-1.1.6/suse/freeradius.spec /usr/src/redhat/SPECS/ # rpmbuild -ba /usr/src/redhat/SPECS/freeradius.spec ^ that gets me to this point here: [EMAIL PROTECTED] src]# rpmbuild -ba /usr/src/redhat/SPECS/freeradius.spec sh: apxs2-prefork: command not found sh: apxs2-prefork: command not found sh: apxs2-prefork: command not found error: Failed build dependencies: apache2-devel is needed by freeradius-1.1.5-0.generic.i386 db-devel is needed by freeradius-1.1.5-0.generic.i386 gettext-devel is needed by freeradius-1.1.5-0.generic.i386 mysql-devel is needed by freeradius-1.1.5-0.generic.i386 net-snmp-devel is needed by freeradius-1.1.5-0.generic.i386 openldap2-devel is needed by freeradius-1.1.5-0.generic.i386 postgresql-devel is needed by freeradius-1.1.5-0.generic.i386 unixODBC-devel is needed by freeradius-1.1.5-0.generic.i386 now checking yum and smart --gui I do not see apache2-devel for starters. So for the mean time I am back to compiling as rpm's are causing the issues they are famous for. If some1 has some tips on resolving dependancies I will be intrested. But I do not see what it needs apache2 headers anyway. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Accounting problem with 1.0.3 - The maximum number of threads (32) are active
Rick Macdougall wrote: It is updating/inserting records into the mysql radacct database but it seems that an ACK is not sent back to the remote server and the thread is not released. A minute later the remote server tries again, etc etc until the threds max out at 32. That says that the inserts are *not* succeeding. i.e. they start, but they never stop. This means that the threads handling the requests are blocked, that they never respond to the client, and that new threads get created for new requests until the maximum gets reached. The problem may be that the MySQL libraries are built without threading support, or that they somehow don't work from multiple threads. I would say run it in non-threaded mode (-s) until the problem can be tracked down and fixed. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Accounting problem with 1.0.3 - The maximum number of threads (32) are active
Rick Macdougall wrote: Recompiled with --without-threads and it locks up hard on the first accounting request. And when I say locks up hard, I mean not even a kill -9 will stop it, I have to reboot the server. Are you sure your OS isn't buggy? It's a bad problem if kill -9 doesn't work. Maybe the process had a memory leak, allocated gigs of RAM, and was in the middle of dumping core. For reasons I've never understood, most OS's don't allow core dumping to be interruptible. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html