log file for free radius 1.1.6 eap-tls authentication
Hi I am using free raidus 1.1.6 with eap-tls authentication.The whole set up is working fine. But i am not getting any logs .like user login ok..login filef etc Pls giude me How will i get logs and wat configurtion i need to do in the configuration files. Regards Anoop ** DISCLAIMER ** Information contained and transmitted by this E-MAIL is proprietary to Sify Limited and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If this is a forwarded message, the content of this E-MAIL may not have been sent with the authority of the Company. If you are not the intended recipient, an agent of the intended recipient or a person responsible for delivering the information to the named recipient, you are notified that any use, distribution, transmission, printing, copying or dissemination of this information in any way or in any manner is strictly prohibited. If you have received this communication in error, please delete this mail & notify us immediately at [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Response with invalid signature
I have checked all secrets and they are the same. Not all Accounting-Response with invalid signature. This error message occurred in sometime. It's a very strange. Rio 2007/5/23, Alex French <[EMAIL PROTECTED]>: On 23/05/07, Rio Yang <[EMAIL PROTECTED]> wrote: > NAS (Aptilo) --- FreeRADIUS --- JuniperSBR (Funk) > > (FreeRadius proxy to JuniperSBR) > > The error message occurred between FreeRADIUS and JuniperSBR. But then you need to set the same shared secret on the FreeRadius server and the JuniperSBR, nothing to do with the NAS. Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Grouping users and clients
O/H Giovanni Lovato έγραψε: > Hi all. > We have a set of Cisco routers and a pool of users in an LDAP > directory. At this time routers are configured to request > authentication to FreeRadius, which binds to LDAP and grants access to > user on successfully binding. > We need to create groups of routers and groups of users, granting > accesso to certain groups of routers only to certain groups of users. > Can we do that using FreeRadius? groups of routers = huntgroups ldap module provides functionality for group handling. > > Thank you, > G.L. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dictionary handling
Hi, since I just begun to use freeradius in production I found some strangeness. The default configuration is to include all dictionaries but I wonder how they are evaluated? I have a Cisco NAS which sends (at least I think) VSA records and so I configured the Cisco VSA hack. For accounting reasons I'm interested in Cisco-PreSession-Time which is 198. In the detail log I found X-Ascend-PreSession-Time instead of Cisco-PreSession-Time though. If I grep through the dictionaries I found: dictionary.alvarion:ATTRIBUTE Alvariaon-VSA-198 198 string dictionary.aptis:ATTRIBUTE CVX-PreSession-Time 198 integer dictionary.ascend:ATTRIBUTE Ascend-PreSession-Time 198 integer dictionary.ascend:ATTRIBUTE X-Ascend-PreSession-Time 198 integer dictionary.cisco:ATTRIBUTE Cisco-PreSession-Time 198 integer dictionary.epygi:ATTRIBUTE Epygi-OutRTP_PacketSize 198 integer dictionary.lucent:ATTRIBUTE Lucent-PreSession-Time 198 integer So I find it strange that freeradius logs X-Ascend-PreSession-Time at all since it's not the first match and not the last one. In addition I wonder if it makes sense that dictionary.ascend has two definitions for 198. I was under the impression that the correct dictionary would be chosen by the vendor ID (9 in case of Cisco). So any idea why freeradius logs Ascend attributes then? Thanks, Wolfgang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Grouping users and clients
Hi all. We have a set of Cisco routers and a pool of users in an LDAP directory. At this time routers are configured to request authentication to FreeRadius, which binds to LDAP and grants access to user on successfully binding. We need to create groups of routers and groups of users, granting accesso to certain groups of routers only to certain groups of users. Can we do that using FreeRadius? Thank you, G.L. -- www.aldu.net/~heruan [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:Problem with logging detail-log to syslog
> I want to log all the freeradius (v 1.1.3) logs to syslog (syslog-ng). > I 've already added this to my syslog-ng.conf : > > filter f_radiusd { match ("radiusd"); }; > destination radiuslogs { file("var/log/radiusd.log"); }; > log { source (src); filter(f_daemon); filter(f_radiusd); > destination(radiuslogs);}; > > And I changed/added this in my radiusd.conf : > > logdir = syslog > log_destination = syslog > > So far so good: when I restart syslog-ng and radiusd, radiusd is logging > to /var/log/radiusd.log via syslog. But I also want to have the > detail-logs, which are normaly in the raddact directory, working in > syslog... Now I see this error in /var/log/radiusd.log : > > rlm_detail: Failed to create directory syslog/radacct: No such file or > directory > > So the rlm_detail part doesn't understands the 'logdir = syslog' option > in radiusd.conf I guess? How can I fix this? We created a pipe/FIFO: mkfifo /var/logfifo -m 600 chown radius /var/logfifo Included the pipe/FIFO in the syslog-ng configuration: source src { ...; pipe('/var/logfifo'); ... } Changed the radiusd.conf detail section: detailfile = /var/logfifo Changed all the occurrances of ${logdir} in radiusd.conf for radwtmp/radutmp/sradutmp if being used: from SOMETHING = ${logdir}/SOMETHING to SOMETHING = ${localstatedir}/log/radius/SOMETHING HTH, Tom -- Tom Whitehouse Department of Computer Science, University of York Heslington, York YO10 5DD, United Kingdom email: [EMAIL PROTECTED] | Fax: +44 1904 432767 http://www.cs.york.ac.uk | Voice: +44 1904 434725 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
strange thing happening with rlm_perl
hi, i'm using fr 1.1.2 and perl 5.8.4, and wrote a simple perl script to return 2 random lns's for a given huntgroup. $ uname -a Linux radius1_staging 2.6.8-x4100-1 #1 SMP Wed Jun 7 08:58:42 BST 2006 x86_64 GNU/Linux this is what i have in "users", right at the top: # [EMAIL PROTECTED] Huntgroup-Name == testhuntgroup Framed-Protocol = PPP, Service-Type = "Dialout-Framed-User" DEFAULT Auth-Type = Perl Fall-Through = 1 DEFAULT Huntgroup-Name == othergroup, Suffix == "@foo" ... # i have radiusd.conf setup as per http://wiki.freeradius.org/Rlm_perl and the following group in authorize: group { ldap { fail = return notfound = return } files { ok = 1 } perl { ok =1 } auth_log ok = return } my perl simply slurps a file with the several lns parameters and returns 2 randomly chosen ones through %RAD_REPLY: sub authorize { # boring file reading and random op... my ( $ip1, $password1, $pref1 ) = @{ $lns[$lns1] }; $RAD_REPLY{'Tunnel-Server-Endpoint:1'} = $ip1; $RAD_REPLY{'Tunnel-Type:1'} = "L2TP"; $RAD_REPLY{'Tunnel-Medium-Type:1'} = "IP"; $RAD_REPLY{'Tunnel-Password:1'} = "$password1"; $RAD_REPLY{'Tunnel-Assignment-Id:1'}= "1"; $RAD_REPLY{'Tunnel-Preference:1'} = "$pref1"; my ( $ip2, $password2, $pref2 ) = @{ $lns[$lns2] }; $RAD_REPLY{'Tunnel-Server-Endpoint:2'} = $ip2; $RAD_REPLY{'Tunnel-Type:2'} = "L2TP"; $RAD_REPLY{'Tunnel-Medium-Type:2'} = "IP"; $RAD_REPLY{'Tunnel-Password:2'} = "$password2"; $RAD_REPLY{'Tunnel-Assignment-Id:2'}= "2"; $RAD_REPLY{'Tunnel-Preference:2'} = "$pref2"; return RLM_MODULE_UPDATED; } what i'm seeing in the respose are mixed av pairs, and the connection fails (i assume because the data for each tunnel is incomplete). here is what i see in the logs and the response sent: rlm_perl: Added pair Tunnel-Assignment-Id = 2 rlm_perl: Added pair Tunnel-Medium-Type = IP rlm_perl: Added pair Tunnel-Type = L2TP rlm_perl: Added pair Tunnel-Server-Endpoint = x.x.x.x rlm_perl: Added pair Tunnel-Password = foo rlm_perl: Added pair Tunnel-Assignment-Id = 1 rlm_perl: Added pair Service-Type = Dialout-Framed-User rlm_perl: Added pair Tunnel-Medium-Type = IP rlm_perl: Added pair Tunnel-Server-Endpoint = y.y.y.y rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair Tunnel-Type = L2TP rlm_perl: Added pair Tunnel-Preference = 1 rlm_perl: Added pair Tunnel-Password = bar rlm_perl: Added pair Tunnel-Preference = 50 here it seems to be ignoring the :1 and :2 for each tunnel. this then results in the following reply, with values from borh tunnels mixed: Sending Access-Accept of id 234 to t.t.t.t port 9208 Framed-Protocol = PPP Service-Type = Dialout-Framed-User Tunnel-Assignment-Id:2 = "2" Tunnel-Medium-Type:1 = IP Tunnel-Type:1 = L2TP Tunnel-Server-Endpoint:2 = "x.x.x.x" Tunnel-Password:2 = "foo" Tunnel-Preference:2 = 1 am i doing something wrong, and if so, what? any help much appreciated. thanks in advance, pedro -- This email and any attachments may be confidential and/or legally privileged. If you have received this e-mail and you are not a named addressee, please inform the sender of this email by sending a return email to the address above and then delete the e-mail and your response from your system. If you are not a named addressee you must not use, disclose, distribute, copy, print or rely on this e-mail. Any views or opinions presented are solely those of the author. Any statements made, or intentions expressed in this communication may not necessarily reflect the view of Easynet. No content herein will bind Easynet or any associated company unless confirmed by the execution of a formal contract by Easynet. Any figures or amounts given in this email are quotations only and are subject to change. Although Easynet routinely screens for viruses, addressees should scan this e-mail and any attachments for viruses. Easynet makes no representation or warranty as to the absence of virus! es in this e-mail or any attachments. Please note that to ensure regulatory compliance and for the protection of our customers and business, we may monitor and read e-mails sent to and from our server(s). Easynet Limited a company incorporated and existing under the laws of England and Wales, with company number 2954343 and having its registered office at 44-46 Whitfield Street London, W1T 2RJ. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/us
freeradius as a middleware between multiple ldap/ADS-s ervers and CMS
Hello, I have got a very general question. I have got a moodle-CMS in the internet. For single-sign-in I made a ldap-authentification between our ADS in school and moodle. So every teacher and student can log into moodle with his windows-domain-password. Now other schools are also interested in single-sign-in to our moodle. Unfortunately only one ldap-connecting is accepted by moodle at one time. So I'm looking for a middleware. On one side the middleware has to handle multiple ldap/ADS-servers and on the other side the middleware has to talk to moodle with one host-address, one port and one shared key. Will radius be my friend? The radius-connector does exist in moodle. Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Response with invalid signature
On 23/05/07, Rio Yang <[EMAIL PROTECTED]> wrote: > NAS (Aptilo) --- FreeRADIUS --- JuniperSBR (Funk) > > (FreeRadius proxy to JuniperSBR) > > The error message occurred between FreeRADIUS and JuniperSBR. But then you need to set the same shared secret on the FreeRadius server and the JuniperSBR, nothing to do with the NAS. Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with logging detail-log to syslog
Claudiu, I've got that line in my config, with the exact same path.. Grtz, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Problem with logging detail-log to syslog
Hi Mark, it seems that you forgot a line with radacctdir = ${logdir}/radacct if you have no line with radacctdir, then add one with the correct path. best regards, Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with logging detail-log to syslog
Claudiu, I know what logdir means :) But according to the Syslog_Howto from the wiki, http://wiki.freeradius.org/Syslog_HOWTO : Modify /etc/raddb/radiusd.conf: logdir = syslog log_destination = syslog Because of the logdir entry above, you must locate all references to ${logdir}, comment the line out and replace it with an absolute path. There must be better ways to do this, but it isn't immediatedly obvious. So, I didn't find out that logdir part myself. The wiki also mentions that I have to replace all ${logdir} values with an absolute path. But I don't want that, because syslog has to take care that part. Grtz, Mark van Herpen Claudiu Filip wrote: > Hi Mark, > Wednesday, May 23, 2007, 2:47:10 PM, you wrote: > > > > >> logdir = syslog > > [...] > >> rlm_detail: Failed to create directory syslog/radacct: No such file or >> directory > > > > LOGDIR means... log dir :> > > > > regards, > Claudiu Filip > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Problem connecting to a router via RADIUS Server authentication
Make sure you have the same shared secret configured on your linksys router and in your clients.conf looks like this: # Linksys client 192.168.6.15 { secret = whatever shortname = myRouter nastype = other } replace "whatever" with the secret key. -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von prajakta choudhari Gesendet: Mittwoch, 23. Mai 2007 14:34 An: freeradius-users@lists.freeradius.org Betreff: Problem connecting to a router via RADIUS Server authentication Hi all: I have configured the radius server . I have a linksys router with wireless security as RADIUS enabled and laptop that connects to the linksys router. whenever i try connecting to the router i get the folloing message on the machine wiht the radius server. the clients.conf has the secret key as testing123 . In which other file do i have to put the same key. Cleaning up request 4 ID 0 with timestamp 46543306 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.6.15:2050, id=0, length=129 Received packet from 192.168.6.15 with invalid Message-Authenticator! (Shared secret is incorrect.) Dropping packet without response. Cud someone throw light on this issue Thank you Prajakta Choudhari __ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem connecting to a router via RADIUS Server authentication
Hi prajakta, Be sure you have in clients.conf something like: client 192.168.6.15 { secret = working789 shortname = mylinksys nastype = other } Restart radiusd if you changed something here. Then http://192.168.6.15 to configure your linksys and in the radius section set the radius password/shared secret to working789 Use your own password instead of wokring789 Regards, Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with logging detail-log to syslog
Hi Mark, Wednesday, May 23, 2007, 2:47:10 PM, you wrote: > logdir = syslog [...] > rlm_detail: Failed to create directory syslog/radacct: No such file or > directory LOGDIR means... log dir :> regards, Claudiu Filip - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Very critical: Memory leak in freeradius-1.1.6
On 5/23/07, nikitha george <[EMAIL PROTECTED]> wrote: Please find the valgrind output below. It shows so much memory is still reachable. I guess we are not cleaning up the all the expired cached session at regular interval. ==21844== 7,456 bytes in 29 blocks are still reachable in loss record 33 of 44 ==21844==at 0x48054FB: realloc (vg_replace_malloc.c:306) ==21844==by 0x351D54: (within /lib/libcrypto.so.0.9.8b) ==21844==by 0x352486: CRYPTO_realloc (in /lib/libcrypto.so.0.9.8b) ==21844==by 0x3A4776: lh_insert (in /lib/libcrypto.so.0.9.8b) ==21844==by 0x355527: OBJ_NAME_add (in /lib/libcrypto.so.0.9.8b) ==21844==by 0x3AC41C: EVP_add_digest (in /lib/libcrypto.so.0.9.8b) ==21844==by 0x486EF91: SSL_library_init (in /lib/libssl.so.0.9.8b) ==21844==by 0x4BAAE03: eaptls_attach (rlm_eap_tls.c:287) ==21844==by 0x4B95230: eaptype_load (eap.c:122) ==21844==by 0x4B93D1B: eap_instantiate (rlm_eap.c:145) ==21844==by 0xCCBE: find_module_instance (modules.c:358) ==21844==by 0xDCBD: do_compile_modsingle (modcall.c:1005) ==21844== ==21844== ==21844== 10,692 bytes in 33 blocks are still reachable in loss record 34 of 44 ==21844==at 0x4805400: malloc (vg_replace_malloc.c:149) ==21844==by 0x4830106: pairmake (valuepair.c:1049) ==21844==by 0x4830A58: pairread (valuepair.c:1244) ==21844==by 0x4830C15: userparse (valuepair.c:1296) ==21844==by 0x9BAB: pairlist_read (files.c:200) ==21844==by 0x4BBB5FF: preprocess_instantiate (rlm_preprocess.c:493) ==21844==by 0xCCBE: find_module_instance (modules.c:358) ==21844==by 0xDCBD: do_compile_modsingle (modcall.c:1005) ==21844==by 0xD34C: setup_modules (modules.c:580) ==21844==by 0x10A35: main (radiusd.c:965) ==21844== ==21844== ==21844== 13,325 bytes in 21 blocks are still reachable in loss record 35 of 44 ==21844==at 0x480473F: calloc (vg_replace_malloc.c:279) ==21844==by 0x4FE8F57A: _dl_new_object (in /lib/ld-2.5.so) ==21844==by 0x4FE8B0E0: _dl_map_object_from_fd (in /lib/ld-2.5.so) ==21844==by 0x4FE8D403: _dl_map_object (in /lib/ld-2.5.so) ==21844==by 0x4FE96668: dl_open_worker (in /lib/ld-2.5.so) ==21844==by 0x4FE92C05: _dl_catch_error (in /lib/ld-2.5.so) ==21844==by 0x4FE96191: _dl_open (in /lib/ld-2.5.so) ==21844==by 0x419BCD0C: dlopen_doit (in /lib/libdl-2.5.so) ==21844==by 0x4FE92C05: _dl_catch_error (in /lib/ld-2.5.so) ==21844==by 0x419BD38B: _dlerror_run (in /lib/libdl-2.5.so) ==21844==by 0x419BCC43: dlopen@@GLIBC_2.1 (in /lib/libdl-2.5.so) ==21844==by 0x48392A9: sys_dl_open (ltdl.c:958) ==21844== ==21844== ==21844== 15,808 bytes in 670 blocks are still reachable in loss record 36 of 44 ==21844==at 0x4805400: malloc (vg_replace_malloc.c:149) ==21844==by 0x418C001F: strdup (in /lib/libc-2.5.so) ==21844==by 0x79D7: cf_section_read (conffile.c:207) ==21844==by 0x8094: conf_read (conffile.c:917) ==21844==by 0xB55D: read_radius_conf_file (mainconfig.c:1264) ==21844==by 0xB6A5: read_mainconfig (mainconfig.c:1309) ==21844==by 0x109F2: main (radiusd.c:941) ==21844== ==21844== ==21844== 26,768 bytes in 336 blocks are still reachable in loss record 37 of 44 ==21844==at 0x4805400: malloc (vg_replace_malloc.c:149) ==21844==by 0x4B944E1: eap_compose (eap.c:395) ==21844==by 0x4B93AC8: eap_authenticate (rlm_eap.c:341) ==21844==by 0xE3C7: modcall (modcall.c:236) ==21844==by 0xEA6B: call_one (modcall.c:269) ==21844==by 0xE5B9: modcall (modcall.c:324) ==21844==by 0xC63D: indexed_modcall (modules.c:469) ==21844==by 0x5213: rad_check_password (auth.c:380) ==21844==by 0x579A: rad_authenticate (auth.c:675) ==21844==by 0xFC66: rad_respond (radiusd.c:1675) ==21844==by 0x116B1: main (radiusd.c:1440) ==21844== ==21844== ==21844== 49,152 bytes in 4 blocks are still reachable in loss record 38 of 44 ==21844==at 0x4805400: malloc (vg_replace_malloc.c:149) ==21844==by 0x4825B3F: lrad_hash_table_insert (hash.c:375) ==21844==by 0x4822AAF: dict_addattr (dict.c:478) ==21844==by 0x482316B: my_dict_init (dict.c:744) ==21844==by 0x4822F71: my_dict_init (dict.c:1050) ==21844==by 0x4822F71: my_dict_init (dict.c:1050) ==21844==by 0x4823DC5: dict_init (dict.c:1258) ==21844==by 0xB5AF: read_radius_conf_file (mainconfig.c:1276) ==21844==by 0xB6A5: read_mainconfig (mainconfig.c:1309) ==21844==by 0x109F2: main (radiusd.c:941) ==21844== ==21844== ==21844== 64,892 bytes in 1,704 blocks are still reachable in loss record 39 of 44 ==21844==at 0x4805400: malloc (vg_replace_malloc.c:149) ==21844==by 0x153DC: rad_malloc (util.c:308) ==21844==by 0x79AE: cf_section_read (conffile.c:203) ==21844==by 0x8094: conf_read (conffile.c:917) ==21844==by 0xB55D: read_radius_conf_file (mainconfig.c:1264) ==21844==by 0xB6A5: read_mainconfig (mainconfig.c:1309) ==21844==by 0x109F2: main (radiusd.c:941) ==21844== ==21844== ==21844== 136,877 bytes in 5,331 blocks are stil
Re: FreeRadius on openSuse Error
On Wed 23 May 2007, Siqhamo Sifo wrote: > I am currently running freeradius on openSuse 10.2 and when I do a tail -f > on my log file I c the ff error messsage : Error: Exec-Program: FAILED > to execute /usr/local/bin/mtacnt: No such file or directory > What i find strange is that it seems like mtacnt is not installed on my > system which I find strange because when I took a look at my other radius > box which is running fc5 the cmd mtacnt is available. What is /usr/local/bin/mtacnt ? It does not ship with SUSE or FC. (If it did it would not live under /usr/local) Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem connecting to a router via RADIUS Server authentication
Hi all: I have configured the radius server . I have a linksys router with wireless security as RADIUS enabled and laptop that connects to the linksys router. whenever i try connecting to the router i get the folloing message on the machine wiht the radius server. the clients.conf has the secret key as testing123 . In which other file do i have to put the same key. Cleaning up request 4 ID 0 with timestamp 46543306 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.6.15:2050, id=0, length=129 Received packet from 192.168.6.15 with invalid Message-Authenticator! (Shared secret is incorrect.) Dropping packet without response. Cud someone throw light on this issue Thank you Prajakta Choudhari __ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Response with invalid signature
Hi Milan, Sorry~ I don't describ my architecture more detail. NAS (Aptilo) --- FreeRADIUS --- JuniperSBR (Funk) (FreeRadius proxy to JuniperSBR) The error message occurred between FreeRADIUS and JuniperSBR. In my thinking, there is no secret error in Accounting-Request why I got the secret error in Accounting-Response. Rio 2007/5/23, Milan Holub <[EMAIL PROTECTED]>: Hi Rio, what type of NAS are you using? I've experienced similar behaviour with nocat software. The problem was that the NAS did not generate correct packet signature according to rfc. I have a simple patch to freeradius to bypass checking of signature of accounting packets. Although the correct way is to fix your NAS to create the signature according to rfc. Anyway I can send you the patch for testing if needed. Regards Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with logging detail-log to syslog
Hello, I want to log all the freeradius (v 1.1.3) logs to syslog (syslog-ng). I 've already added this to my syslog-ng.conf : filter f_radiusd { match ("radiusd"); }; destination radiuslogs { file("var/log/radiusd.log"); }; log { source (src); filter(f_daemon); filter(f_radiusd); destination(radiuslogs);}; And I changed/added this in my radiusd.conf : logdir = syslog log_destination = syslog So far so good: when I restart syslog-ng and radiusd, radiusd is logging to /var/log/radiusd.log via syslog. But I also want to have the detail-logs, which are normaly in the raddact directory, working in syslog... Now I see this error in /var/log/radiusd.log : rlm_detail: Failed to create directory syslog/radacct: No such file or directory So the rlm_detail part doesn't understands the 'logdir = syslog' option in radiusd.conf I guess? How can I fix this? Thanks in advance Mark van Herpen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius on openSuse Error
I am currently running freeradius on openSuse 10.2 and when I do a tail -f on my log file I c the ff error messsage : Error: Exec-Program: FAILED to execute /usr/local/bin/mtacnt: No such file or directory What i find strange is that it seems like mtacnt is not installed on my system which I find strange because when I took a look at my other radius box which is running fc5 the cmd mtacnt is available. Can any1 help REgards Sq - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Response with invalid signature
Hi Rio, what type of NAS are you using? I've experienced similar behaviour with nocat software. The problem was that the NAS did not generate correct packet signature according to rfc. I have a simple patch to freeradius to bypass checking of signature of accounting packets. Although the correct way is to fix your NAS to create the signature according to rfc. Anyway I can send you the patch for testing if needed. Regards Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different behavior when run with -X and not
usr/local/freeradius-1.1.6/etc/raddb/huntgroups" preprocess: hints = "/usr/local/freeradius-1.1.6/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/freeradius-1.1.6/etc/raddb/users" files: acctusersfile = "/usr/local/freeradius-1.1.6/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/freeradius-1.1.6/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/freeradius-1.1.6/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/freeradius-1.1.6/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Accounting-Request packet from host 10.1.2.182:1813, id=91, length=198 NAS-IP-Address = 10.1.2.182 NAS-Port-Type = Async User-Name = "111" Called-Station-Id = "0227130985" Calling-Station-Id = "886227130985" Acct-Status-Type = Start Service-Type = Dialout-Framed-User h323-gw-id = "111" h323-conf-id = "3023024-20070523144854" h323-call-origin = "answer" h323-call-type = "VOIP" h323-setup-time = "06:48:54.912 UTC Wed May 23 2007" Acct-Session-Id = "0024" Acct-Delay-Time = 0 Processing the preacct section of radiusd.conf modcall: entering group preacct for request 0 modcall[preacct]: module "preprocess" returns noop for request 0 rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing ',Client-IP-Address = 10.1.2.182,NAS-IP-Address = 10.1.2.182,Acct-Session-Id = "0024",User-Name = "111"' rlm_acct_unique: Acct-Unique-Session-ID = "f5de261a872f9626". modcall[preacct]: module "acct_unique" returns ok for request 0 rlm_realm: No '@' in User-Name = "111", looking up realm NULL rlm_realm: No such realm "NULL" modcall[preacct]: module "suffix" returns noop for request 0 acct_users: Matched entry DEFAULT at line 19 modcall[preacct]: module "files" returns ok for request 0 modcall: leaving group preacct (returns ok) for request 0 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 0 radius_xlat: '/usr/local/freeradius-1.1.6/var/log/radius/radacct/10.1.2.182/detail-20070523' rlm_detail: /usr/local/freeradius-1.1.6/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/freeradius-1.1.6/var/log/radius/radacct/10.1.2.182/detail-20070523 modcall[accounting]: module "detail" returns ok for request 0 modcall[accounting]: module "unix" returns noop for request 0 radius_xlat: '/usr/local/freeradius-1.1.6/var/log/radius/radutmp' radius_xlat: '111' rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! modcall[accounting]: module "radutmp" returns noop for request 0 modcall: leaving group accounting (returns ok) for request 0 Exec-Program output: Exec-Program: returned: 0 Sending Accounting-Response of id 91 to 10.1.2.182 port 1813 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.1.2.182:1816, id=92, length=106 NAS-IP-Address = 10.1.2.182 NAS-Port-Type = Async Service-Type = Authenticate-Only User-Name = "A001" h323-conf-id = "3023024-20070523144854" Calling-Station-Id = "886227130985" User-Password = "111" Processing
AW: Freeradius and rlm_mysql with encrypted PWD's
Hi, Thx for your answer. My situation is: I want to authenticate users who are logging into linux systems or cisco systems via ssh. The ssh-Client sends a radius request to the freeradius-server. The Radius-Server can read the user-Password from the request and decrypt it. I want to use a mysql-db to store the pwd's. How do I have to configure the freeradius-server so I can save the pwd's as MD5, or sha1 hash? -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Dennis Skinner Gesendet: Dienstag, 22. Mai 2007 17:31 An: FreeRadius users mailing list Betreff: Re: Freeradius and rlm_mysql with encrypted PWD's Rascher, Markus wrote: > In Prev. Threads i read about the same Problem i have now. But i never > found an answer which solves my problem. > My question is: what kind of Password-encryption is supported in the > mysql-DB used by the Freeradius-Server to authenticate Users. It depends... http://deployingradius.com/documents/protocols/compatibility.html -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting-Response with invalid signature
Hi All, I got the following message from my radius.log. Wed May 23 16:39:11 2007 : Error: Received Accounting-Response packet from 172.16.1.1:1813 with invalid signature (err=2)! (Shared secret is incorrect.) Wed May 23 16:39:11 2007 : Error: Reply from home server 172.16.1.1:1813 - ID: 180 arrived too late for request 2515449. Try increasing 'retry_delay' or 'max_request_time' It caused some problem on accounting record . The secret between NAS and RADIUS are the same. But the log tell me the secret is incorrect at Accounting-Response. Do anybody know what's the main cause and how to fix it ? PS. NAS and Radius are in the same subnet without any firewall. [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP access configuration
Hello all, I have a scenario where a first radius server (R1) proxies the authentication request to another radius server (R2). Later, when the user is authenticated, R1 must access to a LDAP server to recover some network parameters, such as session-timeout or framed-ip-address, and enforce them in the Access Point (AP). Currently, R1 is configured to access to the LDAP server using the user name as filter (filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" in radiusd.conf). My question is, it is possible to configure this filter to use a radius attribute received in the response from R2? I mean, R2 returns in the response an attribute called attr1=val1, and then R1 must use this attribute to search in the LDAP server (¿filter="(uid=%{attr1})" or something similar?) Internet / User AP -- R1 R2 \ LDAP User AP R1 LDAP R2 (authn req.) -->---> (authn response + attr1=val1) < (search uid=attr1) --> (network params) <-- (params) < (Success) << Thanks in advance. -- - Manuel Sanchez Cuenca Departamento de Ingenieria de la Informacion y las Comunicaciones Facultad de Informatica. Universidad de Murcia Campus de Espinardo - 30080 Murcia (SPAIN) Tel.: +34-968-364644Fax: +34-968-364151 email: [EMAIL PROTECTED] | [EMAIL PROTECTED] url: http://libra.inf.um.es/~lolo -- - Manuel Sanchez Cuenca Departamento de Ingenieria de la Informacion y las Comunicaciones Facultad de Informatica. Universidad de Murcia Campus de Espinardo - 30080 Murcia (SPAIN) Tel.: +34-968-364644Fax: +34-968-364151 email: [EMAIL PROTECTED] | [EMAIL PROTECTED] url: http://libra.inf.um.es/~lolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html