Re: Help: Does FreeRadius 1.1.3 support any encryption algorithm specified in RFC 2868.
Govardhana K N wrote: Is the support for this encryption is already present in FreeRadius 1.1.3? If yes, How can I add attibutes to use that encryption algorithm? $ man dictionary Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS authentication (Alan DeKok)
[EMAIL PROTECTED] wrote: Everything is working fine.But the logs are not coming when user authenticates. What logs? Accounting? If so, see the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: Does FreeRadius 1.1.3 support any encryption algorithm specified in RFC 2868.
Alan, Thanks for the help. I have got how to configure the ecnryption support. I need one more help, I tried to include microsoft attributes (MS-MPPE-Send-Key, MS-MPPE-Recv-Key) for which the encryption type is already set to 2, but the attribute values are not getting encrypted in Access-Accept? how can i slove this problem? Thanks Regards, Govardhana K N On 7/16/07, Alan DeKok [EMAIL PROTECTED] wrote: Govardhana K N wrote: Is the support for this encryption is already present in FreeRadius 1.1.3? If yes, How can I add attibutes to use that encryption algorithm? $ man dictionary Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards, Govardhana K N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: Does FreeRadius 1.1.3 support any encryption algorithm specified in RFC 2868.
Govardhana K N wrote: I need one more help, I tried to include microsoft attributes (MS-MPPE-Send-Key, MS-MPPE-Recv-Key) for which the encryption type is already set to 2, but the attribute values are not getting encrypted in Access-Accept? how can i slove this problem? Post the debug log, as suggested in the FAQ, README, INSTALL, and many other places. Are you *sure* the attributes are not being encrypted? Or maybe it's just you're not familiar with the process? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: Does FreeRadius 1.1.3 support any encryption algorithm specified in RFC 2868.
Alan, I followed the following steps for configuring microsoft attributes and other vendor attributes: 1. created and configured the vendor attributes (MN-HA-MIP4-KEY, MN-HA-MIP4-SPI) in dictionary.wimax, with option encrypt=2, the values are getting encrypted. 2. Configured in file users to check for Nas-Identifier and Nas-Port-Type and configured the attributes for access-accept as below: -- govardhana Nas-Identifier == nas, Nas-Port-Type == 15 CUI = cui, Class = class, State = state, Framed-MTU = 1400, Framed-Ip-Address = 1.2.3.4, Service-Type = Framed-User, session-timeout = 30, MS-MPPE-Send-Key = msk, MS-MPPE-Recv-Key = recvmsk, AAA-Session-Id = multisessionid, HA-IP-MIP4 = 1.1.1.1, Dhcpv4-Server = 2.2.2.2, MN-HA-MIP4-KEY = mipkey, MN-HA-MIP4-SPI = mipspi, DHCP-RK = dhcprk, DHCP-RK-KEY-ID = dhcpkey, DHCP-RK-LIFETIME = 20 -- 3. Below is the snapshot from client: -- cheux301:/home/govardhana# radclient -x localhost auth jrcsecret access-request Sending Access-Request of id 173 to 127.0.0.1 port 1812 User-Name = govardhana User-Password = govardhana NAS-Identifier = nas NAS-Port-Type = Ethernet CUI = 0 Service-Type = Framed-User Framed-MTU = 1400 Calling-Station-Id = 1:1:1:1:1:1 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=173, length=305 CUI = cui Class = 0x6a7263636c617373 State = 0x6a72637374617465 Framed-MTU = 1400 Framed-IP-Address = 1.2.3.4 Service-Type = Framed-User Session-Timeout = 30 MS-MPPE-Send-Key = 0x6a72636d736b MS-MPPE-Recv-Key = 0x6a7263726563766d736b AAA-Session-Id = multisessionid HA-IP-MIP4 = 1.1.1.1 DHCPv4-Server = 2.2.2.2 MN-HA-MIP4-KEY = \225~\035\235\354\363\203\316Z\377\327\2174\360\330r\30 MN-HA-MIP4-SPI = \234V.\326\014_\363fn\253_K\355-([\326\020 DHCP-RK = dhcprk DHCP-RK-KEY-ID = dhcpkey DHCP-RK_LIFETIME = 20 -- 5. Below is snap from Server -- rad_recv: Access-Request packet from host 127.0.0.1:32813, id=173, length=92 User-Name = govardhana User-Password = govardhana NAS-Identifier = jrcnas NAS-Port-Type = Ethernet CUI = 0 Service-Type = Framed-User Framed-MTU = 1400 Calling-Station-Id = 1:1:1:1:1:1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = govardhana, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry govardhana at line 177 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns ok for request 0 modcall: leaving group authenticate (returns ok) for request 0 Login OK: [govardhana] (from client localhost port 0 cli 1:1:1:1:1:1) Sending Access-Accept of id 173 to 127.0.0.1 port 32813 CUI = jrccui Class = 0x6a7263636c617373 State = 0x6a72637374617465 Framed-MTU = 1400 Framed-IP-Address = 1.2.3.4 Service-Type = Framed-User Session-Timeout = 30 WiMAX-Capability = Accounting-Capability MS-MPPE-Send-Key = 0x6a72636d736b MS-MPPE-Recv-Key = 0x6a7263726563766d736b AAA-Session-Id = jrcmultisessionid HA-IP-MIP4 = 1.1.1.1 DHCPv4-Server = 2.2.2.2 MN-HA-MIP4-KEY = jrcmipkey MN-HA-MIP4-SPI = jrcmipspi
Re: EAP-TLS authentication
Dear Alan I have been using Navis radius.Now i decided to move to free radius.In the navis radius there is a log file .So it will be shown as \Username\ login ok or \user login failed due to..\ So these logs will be very helpful for troubleshooting. In free radius thers is no log file is getting updated. This is not accounting. Regards Anoop Content-Type: text/plain; charset=ISO-8859-1 [EMAIL PROTECTED] wrote: Everything is working fine.But the logs are not coming when user authenticates. What logs? Accounting? If so, see the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Password = xpkg ?
hello so i have Mera Softswitch with Radius in contact, so the authentification work very will. the Username is my NAT-IP and the Password is "xpgk" My Question is who i can this Password modified and in witch file is saved ? Ihave stored in Radius server DB ( Radchek table) .but the NAT need one Password to be connected. Now if i modified the Password in RADIUS ,the connection not working with my PBX My Question is who i can this NAT- Password modified and in witch file is saved ?MSN Hotmail sur i-mode : dialoguez sur votre mobile comme sur votre PC avec Bouygues TELECOM ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS authentication
I have been using Navis radius.Now i decided to move to free radius.In the navis radius there is a log file .So it will be shown as \Username\ login ok or \user login failed due to..\ So these logs will be very helpful for troubleshooting. In free radius thers is no log file is getting updated. This is not accounting. Exactly this information goes into /var/log/radius/radius.log if you enabled it in the config - as is per default. That is, only if you *NOT* running with -X. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS authentication (Alan DeKok)
Message: 6 Date: Fri, 13 Jul 2007 14:25:43 +0200 From: Alan DeKok [EMAIL PROTECTED] Subject: Re: EAP-TLS authentication (Alan DeKok) To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Hi Everything is working fine.But the logs are not coming when user authenticates. Regards Anoop Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 [EMAIL PROTECTED] wrote: pls find the attached ... Sending Access-Accept of id 4 to 192.168.0.50 port 1026 The RADIUS server thinks everything is OK. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius and User-Password from Cisco Device
Hello, Here a access-request packet from a Cisco Router (2621) : NAS-IP-Address = IP_NAS NAS-Port = 66 NAS-Port-Type = Virtual User-Name = MyUserLogin Calling-Station-Id = IP NAS User-Password = ry\My\Pass/Wo\rd\Hash\Not\Plain\Text` Why is my password not in plain text ? With other cisco devices (Switch 2960 for example), the User-Password is in plain text.. If I receive a hashed password, the authentication doesn't work.. My AAA configuration : aaa new-model aaa authentication login default group radius line aaa authentication login console line aaa authorization exec default group radius none aaa authorization network default group radius aaa accounting exec default start-stop group radius aaa accounting connection default start-stop group radius What can I do ? Thanks for your help ! Nicos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to configure EAP Identity in 1.1.3
Hi,
I was trying to configure FreeRadius server with EAP authentication. AS
mentioned in eap.conf, I didn't change the Auth-Type, but I was sending a
EAP message, and Message-Authenticator attributes in Access-Request. When i
tried sending an Access-Request with EAP-Message, I got the following error
rlm_eap: Identity Unknown, authentication failed.
How to configure the Identity for EAP?
debug log from server:
-
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/freeradius/proxy.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/snmp.conf
Config: including file: /etc/freeradius/eap.conf
Config: including file: /etc/freeradius/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/freeradius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/freeradius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = /var/log/freeradius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/freeradius/freeradius.pid
main: bind_address = 127.0.0.1 IP address [127.0.0.1]
main: user = freerad
main: group = freerad
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = no
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = /etc/passwd
unix: shadow = /etc/shadow
unix: group = /etc/group
unix: radwtmp = /var/log/freeradius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/freeradius/huntgroups
preprocess: hints = /etc/freeradius/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /etc/freeradius/users
files: acctusersfile = /etc/freeradius/acct_users
files: preproxy_usersfile = /etc/freeradius/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /var/log/freeradius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication 127.0.0.1:1812
Listening on accounting 127.0.0.1:1813
Ready to process
Re: FreeRadius and User-Password from Cisco Device
User-Password = ry\My\Pass/Wo\rd\Hash\Not\Plain\Text` Why is my password not in plain text ? With other cisco devices (Switch 2960 for example), the User-Password is in plain text.. If I receive a hashed password, the authentication doesn't work.. Are you sure it's hashed, and not just garbled? First guess is: check the shared secret on the Cisco device and the server. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : EAP-TLS authentication
There is log file. Check your configure log to find out the path you specified for the log. You can also run in debug mode. radiusd -X == Benjamin K. Eshun - Message d'origine De : [EMAIL PROTECTED] [EMAIL PROTECTED] À : freeradius-users@lists.freeradius.org Envoyé le : Lundi, 16 Juillet 2007, 11h41mn 05s Objet : Re: EAP-TLS authentication Dear Alan I have been using Navis radius.Now i decided to move to free radius.In the navis radius there is a log file .So it will be shown as \Username\ login ok or \user login failed due to..\ So these logs will be very helpful for troubleshooting. In free radius thers is no log file is getting updated. This is not accounting. Regards Anoop Content-Type: text/plain; charset=ISO-8859-1 [EMAIL PROTECTED] wrote: Everything is working fine.But the logs are not coming when user authenticates. What logs? Accounting? If so, see the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : How to configure EAP Identity in 1.1.3
You have misconfigured the Nas-Identifier govardhana Nas-Identifier == nas, Nas-Port-Type == 15 You haveNAS-Identifier = jrcnas == Benjamin K. Eshun - Message d'origine De : Govardhana K N [EMAIL PROTECTED] À : FreeRadius freeradius-users@lists.freeradius.org Envoyé le : Lundi, 16 Juillet 2007, 12h24mn 09s Objet : How to configure EAP Identity in 1.1.3 Hi, I was trying to configure FreeRadius server with EAP authentication. AS mentioned in eap.conf, I didn't change the Auth-Type, but I was sending a EAP message, and Message-Authenticator attributes in Access-Request. When i tried sending an Access-Request with EAP-Message, I got the following error rlm_eap: Identity Unknown, authentication failed. How to configure the Identity for EAP? debug log from server: - Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/freeradius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/freeradius/freeradius.pid main: bind_address = 127.0.0.1 IP address [127.0.0.1] main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = no exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = /etc/passwd unix: shadow = /etc/shadow unix: group = /etc/group unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/freeradius/huntgroups preprocess: hints = /etc/freeradius/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/freeradius/users files: acctusersfile = /etc/freeradius/acct_users files: preproxy_usersfile = /etc/freeradius/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail
Re: Configuration doubt
Osvaldohp wrote: This is my users file: mike Auth-Type = System, User-Password == mike Session-Timeout := 3600, What i am doing wrong? You're telling the server to look in /etc/passwd for the users password, and then also telling it what the users password is. Don't set Auth-Type. Use 1.1.6. Use Cleartext-Password, not User-Password, as suggested in the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: Does FreeRadius 1.1.3 support any encryption algorithm specified in RFC 2868.
Govardhana K N wrote: 1. created and configured the vendor attributes (MN-HA-MIP4-KEY, MN-HA-MIP4-SPI) in dictionary.wimax, with option encrypt=2, the values are getting encrypted. Can you post that here? I'm not sure the server will understand the WiMAX attributes, as multiple WiMAX attributes are packed into one WiMAX VSA. ... MS-MPPE-Send-Key = 0x6a72636d736b MS-MPPE-Recv-Key = 0x6a7263726563766d736b That came across just fine. MN-HA-MIP4-KEY = \225~\035\235\354\363\203\316Z\377\327\2174\360\330r\30 MN-HA-MIP4-SPI = \234V.\326\014_\363fn\253_K\355-([\326\020 That didn't. You're running a configuraton that no one has seen before. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuration doubt
Hi all. I'd like some help to configure my Radius server. My Radius authenticates users from my HotSpot to access the internet. I want to limit the uses to access the Internet, i did try Session-Timeout attribute but don't work so far. This is my users file: mike Auth-Type = System, User-Password == mike Session-Timeout := 3600, What i am doing wrong? Can anyone help me with this task? Thanks Message sent using Prodepa Webmail 2.7.9 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to configure EAP Identity in 1.1.3
I changed it but the same error is still coming. On 7/16/07, Eshun Benjamin [EMAIL PROTECTED] wrote: You have misconfigured the Nas-Identifier govardhana Nas-Identifier == nas, Nas-Port-Type == 15 You haveNAS-Identifier = jrcnas == Benjamin K. Eshun - Message d'origine De : Govardhana K N [EMAIL PROTECTED] À : FreeRadius freeradius-users@lists.freeradius.org Envoyé le : Lundi, 16 Juillet 2007, 12h24mn 09s Objet : How to configure EAP Identity in 1.1.3 Hi, I was trying to configure FreeRadius server with EAP authentication. AS mentioned in eap.conf, I didn't change the Auth-Type, but I was sending a EAP message, and Message-Authenticator attributes in Access-Request. When i tried sending an Access-Request with EAP-Message, I got the following error rlm_eap: Identity Unknown, authentication failed. How to configure the Identity for EAP? debug log from server: - Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/freeradius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/freeradius/freeradius.pid main: bind_address = 127.0.0.1 IP address [127.0.0.1] main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = no exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = /etc/passwd unix: shadow = /etc/shadow unix: group = /etc/group unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/freeradius/huntgroups preprocess: hints = /etc/freeradius/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/freeradius/users files: acctusersfile = /etc/freeradius/acct_users files: preproxy_usersfile = /etc/freeradius/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port
Re: How to configure EAP Identity in 1.1.3
Add EAP-Type-Identity to radeapclient attributes.
Ivan Kalik
Kalik Informatika ISP
Dana 16/7/2007, Govardhana K N [EMAIL PROTECTED] piše:
Hi,
I was trying to configure FreeRadius server with EAP authentication. AS
mentioned in eap.conf, I didn't change the Auth-Type, but I was sending a
EAP message, and Message-Authenticator attributes in Access-Request. When i
tried sending an Access-Request with EAP-Message, I got the following error
rlm_eap: Identity Unknown, authentication failed.
How to configure the Identity for EAP?
debug log from server:
-
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/freeradius/proxy.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/snmp.conf
Config: including file: /etc/freeradius/eap.conf
Config: including file: /etc/freeradius/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/freeradius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/freeradius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = /var/log/freeradius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/freeradius/freeradius.pid
main: bind_address = 127.0.0.1 IP address [127.0.0.1]
main: user = freerad
main: group = freerad
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = no
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = /etc/passwd
unix: shadow = /etc/shadow
unix: group = /etc/group
unix: radwtmp = /var/log/freeradius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/freeradius/huntgroups
preprocess: hints = /etc/freeradius/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /etc/freeradius/users
files: acctusersfile = /etc/freeradius/acct_users
files: preproxy_usersfile = /etc/freeradius/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /var/log/freeradius/radutmp
radutmp: username = %{User-Name}
radutmp:
Re: Password = xpkg ?
NAT (Network Address Translation) or NAS (Network Access Server)? Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, E. abdelghani [EMAIL PROTECTED] piše: hello so i have Mera Softswitch with Radius in contact, so the authentification work very will. the Username is my NAT-IP and the Password is xpgk My Question is who i can this Password modified and in witch file is saved ? I have stored in Radius server DB ( Radchek table) .but the NAT need one Password to be connected. Now if i modified the Password in RADIUS ,the connection not working with my PBX My Question is who i can this NAT- Password modified and in witch file is saved ?MSN Hotmail sur i-mode : dialoguez sur votre mobile comme sur votre PC avec Bouygues TELECOM ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : EAP-TLS authentication
rad_check_password: Found Auth-Type EAP auth: type \EAP\ Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity Unknown, authentication failed rlm_eap: Failed in handler modcall[authenticate]: module \eap\ returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 179 to 127.0.0.1 port 32813 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 179 with timestamp 469b9233 Nothing to do. Sleeping until we see a request. debug log from Client: - cheux301:/home/govardhana# radeapclient -x localhost auth jrcsecret access-request +++ About to send encoded packet: User-Name = \jrc\ NAS-Identifier = \jrcnas\ NAS-Port-Type = Ethernet CUI = \0\ Service-Type = Framed-User Framed-MTU = 1400 Calling-Station-Id = \1:1:1:1:1:1\ EAP-Message = 0x0118016a7263 Message-Authenticator = 0x00 Sending Access-Request of id 179 to 127.0.0.1 port 1812 User-Name = \jrc\ NAS-Identifier = \jrcnas\ NAS-Port-Type = Ethernet CUI = \0\ Service-Type = Framed-User Framed-MTU = 1400 Calling-Station-Id = \1:1:1:1:1:1\ EAP-Message = 0x0118016a7263 Message-Authenticator = 0x rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=179, length=20 rlm_eap: EAP-Message not found +++ EAP decoded packet: Thanks Regards, Govardhana K N -- With Regards, Govardhana K N -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070716/79e22469/attachment-0001.html -- Message: 3 Date: Mon, 16 Jul 2007 12:31:27 +0200 From: Stefan Winter [EMAIL PROTECTED] Subject: Re: FreeRadius and User-Password from Cisco Device To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=\iso-8859-1\ User-Password = \ryMyPass/WordHashNotPlainText`\ Why is my password not in plain text ? With other cisco devices (Switch 2960 for example), the User-Password is in plain text.. If I receive a hashed password, the authentication doesn\'t work.. Are you sure it\'s hashed, and not just garbled? First guess is: check the shared secret on the Cisco device and the server. Stefan -- Stefan WINTER Stiftung RESTENA - R?seau T?l?informatique de l\'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] ? ? Tel.: ? ?+352 424409-1 http://www.restena.lu ? ? ? ? ? ? ? Fax: ? ? ?+352 422473 -- next part -- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070716/47331005/attachment-0001.bin -- Message: 4 Date: Mon, 16 Jul 2007 11:13:54 + (GMT) From: Eshun Benjamin [EMAIL PROTECTED] Subject: Re : EAP-TLS authentication To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=\iso-8859-1\ There is log file. Check your configure log to find out the path you specified for the log. You can also run in debug mode. radiusd -X == Benjamin K. Eshun - Message d\'origine De : \[EMAIL PROTECTED] [EMAIL PROTECTED] ? : freeradius-users@lists.freeradius.org Envoy? le : Lundi, 16 Juillet 2007, 11h41mn 05s Objet : Re: EAP-TLS authentication Dear Alan I have been using Navis radius.Now i decided to move to free radius.In the navis radius there is a log file .So it will be shown as \Username\ login ok or \user login failed due to..\ So these logs will be very helpful for troubleshooting. In free radius thers is no log file is getting updated. This is not accounting. Regards Anoop Content-Type: text/plain; charset=ISO-8859-1 [EMAIL PROTECTED] wrote: Everything is working fine.But the logs are not coming when user authenticates. What logs? Accounting? If so, see the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http
Re : Re : Password = xpgk (Kalik)
hello Ivan Kalik: hier is the output from radiusd -X : i worked with Mera Softswitch and freeraduis for authentification! also who can i modified this User-Password xpgk ? rad_recv: Access-Request packet from host 192.168.100.211:1912, id=10, length=696 User-Name = 192.168.100.180 User-Password = xpgk NAS-IP-Address = 192.168.100.211 NAS-Port-Type = Async Service-Type = Login-User Called-Station-Id = 907070 Calling-Station-Id = 4002 Cisco-AVPair = xpgk-request-type=number Acct-Session-Id = 5ca3d369-8-3c1329b1 h323-conf-id = h323-conf-id=02B21DF1 D6B213A4 3E960001 A8045DEC Cisco-AVPair = h323-call-id=02B21DF1 D6B213A4 3E950001 A8045DEC h323-gw-id = h323-gw-id=192.168.100.180 Cisco-AVPair = h323-gw-address=192.168.100.180 Cisco-AVPair = h323-incoming-local-address=192.168.100.211 h323-remote-address = h323-remote-address=194.6.239.4 Cisco-AVPair = h323-remote-id=194.6.239.4 Cisco-AVPair = xpgk-h323-id=4FXS-045dec Cisco-AVPair = xpgk-src-number-in=4002 Cisco-AVPair = xpgk-src-number-out=4002 Cisco-AVPair = xpgk-dst-number-in=907070 Cisco-AVPair = xpgk-dst-number-out=907070 h323-setup-time = h323-setup-time=14:02:37.000 CEST Mon Jul 16 2007 Cisco-AVPair = xpgk-route-retries=1 thinks! _ Découvrez le Blog heroic Fantaisy d'Eragon! http://eragon-heroic-fantasy.spaces.live.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: Does FreeRadius 1.1.3 support any encryption algorithm specified in RFC 2868.
I have put the configuration details inline. I am using the Radius server for Testing purpose, I want to receive WiMAX attributes in the Access-Accept, so i have configured those in dictionary file and users file. Thanks Regards, Govardhana K N On 7/16/07, Alan DeKok [EMAIL PROTECTED] wrote: Govardhana K N wrote: 1. created and configured the vendor attributes (MN-HA-MIP4-KEY, MN-HA-MIP4-SPI) in dictionary.wimax, with option encrypt=2, the values are getting encrypted. Can you post that here? I'm not sure the server will understand the WiMAX attributes, as multiple WiMAX attributes are packed into one WiMAX VSA. [Govardhana:] I have put the configuration in dictionary.wimax ATTRIBUTE MSK5 string encrypt=2 ATTRIBUTE HA-IP-MIP4 6 string ATTRIBUTE DHCPv4-Server 8 string ATTRIBUTE MN-HA-MIP4-KEY 10 string encrypt=2 ATTRIBUTE MN-HA-MIP4-SPI 11 string encrypt=2 ATTRIBUTE DHCP-RK40 string ATTRIBUTE DHCP-RK-KEY-ID41 string ATTRIBUTE DHCP-RK-LIFETIME 42 string ... MS-MPPE-Send-Key = 0x6a72636d736b MS-MPPE-Recv-Key = 0x6a7263726563766d736b That came across just fine. MN-HA-MIP4-KEY = \225~\035\235\354\363\203\316Z\377\327\2174\360\330r\30 MN-HA-MIP4-SPI = \234V.\326\014_\363fn\253_K\355-([\326\020 That didn't. You're running a configuraton that no one has seen before. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards, Govardhana K N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius MySQL - Logs (where they are?)
Hello all, I have configured my FreeRadius server to auth my clients over a MySQL table. The problem is that I do not have any more logs (like wrong login attempts). The detailed log is been done into a MySQL table named radacct (and works fine to bloqs simultaneous use) but the problem is that I cant see anymore why a login attempt gets rejected. Can someone tell me where to look? -- Att, NATANIEL KLUG [EMAIL PROTECTED] Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis. Visconde de Taunay -- Esta mensagem foi verificada pelo antivirus e antispam e acredita-se nao se tratar de nenhum dos dois. Sistema de email Cyber Nett - v2.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius 1.1.6 and Cisco 2000 Wirelss Controller
Hi Alan, What should I be looking for in the eap.conf file? Thanks, Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of [EMAIL PROTECTED] Sent: Friday, July 13, 2007 5:16 PM To: FreeRadius users mailing list Subject: Re: Freeradius 1.1.6 and Cisco 2000 Wirelss Controller and your eap.conf? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and User-Password from Cisco Device
The shared secret is the same because I use a radius Proxy and this proxy forwards the access-request to my radius server. The problem is the password ! With a password in plain text (Check with H3C 2811 and Cisco 2960 equipmnents). Thanks for your help ! Nicolas. Selon Stefan Winter [EMAIL PROTECTED]: User-Password = ry\My\Pass/Wo\rd\Hash\Not\Plain\Text` Why is my password not in plain text ? With other cisco devices (Switch 2960 for example), the User-Password is in plain text.. If I receive a hashed password, the authentication doesn't work.. Are you sure it's hashed, and not just garbled? First guess is: check the shared secret on the Cisco device and the server. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.luFax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: Does FreeRadius 1.1.3 support any encryption algorithm specified in RFC 2868.
Govardhana K N wrote: [Govardhana:] I have put the configuration in dictionary.wimax ATTRIBUTE MSK5 There's rather more than that, I think. In any case, what's probably happening is that you've edited the dictionary on the server, but not on the client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and User-Password from Cisco Device
Hm, this means the NAS actually sent this garbage/hash. In this case, it would be enlightening to see the lines in your IOS config that start with radius-server not the aaa ones. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and User-Password from Cisco Device
Here, my radius configuration : radius-server host RADIUS_IP auth-port 1812 acct-port 1813 key 7 RADUIUS_KEY radius-server retransmit 1 radius-server timeout 2 Thanks ! Selon Stefan Winter [EMAIL PROTECTED]: Hm, this means the NAS actually sent this garbage/hash. In this case, it would be enlightening to see the lines in your IOS config that start with radius-server not the aaa ones. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.luFax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MySQL - Logs (where they are?)
Nataniel Klug wrote: I have configured my FreeRadius server to auth my clients over a MySQL table. The problem is that I do not have any more logs (like wrong login attempts). The detailed log is been done into a MySQL table named radacct (and works fine to bloqs simultaneous use) but the problem is that I cant see anymore why a login attempt gets rejected. Can someone tell me where to look? The logs are put in the file radius.log, not in SQL. See radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius 1.1.6 and Cisco 2000 Wirelss Controller
Ivan,
Yes, the controller does have VLAN 157 configured, that is actually the
original client vlan configured before I started testing with vlan tags from
freeradius.
Thanks,
Brian
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Saturday, July 14, 2007 11:26 AM
To: FreeRadius users mailing list
Subject: Re: Freeradius 1.1.6 and Cisco 2000 Wirelss Controller
Radius is doing it's bit. Your problem is with the Controller
configuration. Have you configured a VLAN with ID of 157 on the
Controller? Have you enabled Radius override of default settings on WLAN?
Ivan Kalik
Kalik Informatika ISP
Dana 13/7/2007, Brian Ertel [EMAIL PROTECTED] piše:
Hi,
I've gotten a bit further but am still getting stuck. I have the Cisco
Wireless Controller configured to hit Freeradius for MAC Address
Authentication. Freeradius sees the request from the controller and
sends back the configure attributes from the users file but the
controller doesn't seem to see it correctly (the desired VLAN tag) and I
end up in the default VLAN as configured on the controller. Below is my
users, clients.conf, and radiusd verbose data output. Any thoughts?
Ready to process requests.
rad_recv: Access-Request packet from host 148.85.34.82:32768, id=35,
length=174
User-Name = 00:0e:35:1c:e0:52
Called-Station-Id = 00-1a-6d-6b-f0-80:2000test
Calling-Station-Id = 00-0e-35-1c-e0-52
NAS-Port = 1
NAS-IP-Address = 148.85.34.82
NAS-Identifier = WLC-34-82
Airespace-Wlan-Id = 1
User-Password = testing
Service-Type = Call-Check
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 159
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = 00:0e:35:1c:e0:52, looking up
realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry 00:0e:35:1c:e0:52 at line 80
modcall[authorize]: module files returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password Sending
Access-Accept of id 35 to 148.85.34.82 port 32768
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Tunnel-Private-Group-Id:0 = 157
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 35 with timestamp 4697de6a Nothing to do.
Sleeping until we see a request.
00:0e:35:1c:e0:52 Auth-Type := Local, User-Password == testing
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type = VLAN,
Tunnel-Private-Group-Id = 157,
__
client 148.85.34.82 {
#
# The shared secret use to encrypt and sign packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 31 characters in length.
#
secret = xxx
#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
shortname = controller
#
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous use checks
#
#
# The nastype tells 'checkrad.pl' which NAS-specific method to
# use to query the NAS for simultaneous use.
#
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types
#
nastype = other # localhost isn't usually a NAS...
_
Brian Ertel
Network Administrator
Amherst College
413-542-8320
[EMAIL PROTECTED]
_
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe?
Re: FreeRadius and User-Password from Cisco Device
On Mon 16 Jul 2007, [EMAIL PROTECTED] wrote: The shared secret is the same because I use a radius Proxy and this proxy forwards the access-request to my radius server. The problem is the password ! With a password in plain text (Check with H3C 2811 and Cisco 2960 equipmnents). Then you have the shared secret wrong between your proxy and your radius server. -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 1.1.6 and Cisco 2000 Wirelss Controller
Hi, What should I be looking for in the eap.conf file? whether you are tunneling the reply in PEAP and TTLS. by not providing this list with your config files you arent helping us to help you. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
figuration doubt
I found a nice paper about freeradius+mysql, so far everything is installed and working fine. My guestion is which field of my radius database (db_mysql.sql) i have to put Session-Timeout attribute to limit the use of the Internet from my HotSpot users? Message sent using Prodepa Webmail 2.7.9 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : EAP-TLS authentication
Perhaps because of this: main: log_auth = no Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius 1.1.6 and Cisco 2000 Wirelss Controller
Alan,
I did not modify this file at all
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# $Id: eap.conf,v 1.4.4.3 2006/04/28 18:25:03 aland Exp $
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = md5
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to yes, you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments. See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System' authentication is impossible with LEAP.
#
leap {
}
# Generic Token Card.
#
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module challenges the user with
# text, and the response from the user is taken to be
# the User-Password.
#
# Proxying the tunneled EAP-GTC session is a bad idea,
# the users password will go over the wire in plain-text,
# for anyone to see.
#
gtc {
# The default challenge, which many clients
# ignore..
#challenge = Password:
# The plain-text response which comes back
# is put into a User-Password attribute,
# and passed to another module for
# authentication. This allows the EAP-GTC
# response to be checked against plain-text,
# or crypt'd passwords.
#
# If you say Local instead of PAP, then
# the module will look for a User-Password
# configured for the request, and do the
# authentication itself.
#
auth_type = PAP
}
## EAP-TLS
#
# To generate ctest certificates, run the script
#
#
ldap group membership
handle, #16
rlm_sql (sql): starting 17
rlm_sql (sql): Attempting to connect rlm_sql_mysql #17
rlm_sql_mysql: Starting connect to MySQL server for #17
rlm_sql (sql): Connected new DB handle, #17
rlm_sql (sql): starting 18
rlm_sql (sql): Attempting to connect rlm_sql_mysql #18
rlm_sql_mysql: Starting connect to MySQL server for #18
rlm_sql (sql): Connected new DB handle, #18
rlm_sql (sql): starting 19
rlm_sql (sql): Attempting to connect rlm_sql_mysql #19
rlm_sql_mysql: Starting connect to MySQL server for #19
rlm_sql (sql): Connected new DB handle, #19
Module: Instantiated sql (sql)
detail: detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (reply_log)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host :32802, id=0, length=160
User-Name = [EMAIL PROTECTED]
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x0
Message-Authenticator = 0x**
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat: '/var/log/radius/radacct/**/auth-detail-20070716'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/**/auth-detail-20070716
modcall[authorize]: module auth_log returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: Looking up realm .it for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm .it
rlm_realm: Proxying request from user testuser to realm **.it
rlm_realm: Adding Realm = ***.it
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: EAP packet type response id 0 length 31
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 0
users: Matched entry DEFAULT at line 122
users: Matched entry DEFAULT at line 159
modcall[authorize]: module files returns ok for request 0
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module pap returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0
Found Autz-Type LDAP
Processing the authorize section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for [EMAIL PROTECTED]
radius_xlat: '([EMAIL PROTECTED])'
radius_xlat: 'dc=*,dc=it'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.**.it:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/crl/root.pem
rlm_ldap: bind as cn=,ou=servizi,dc=**,dc=it/***
to ldap.**.it:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=**,dc=it, with filter
([EMAIL PROTECTED])
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns notfound for request 0
modcall: leaving group LDAP (returns notfound) for request 0
rad_check_password: Found Auth-Type Reject
rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 0 to * port 32802
Reply-Message = Access Denied
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 469b4247
Nothing to do. Sleeping until we see a request.
PS
Thanks in advance for your help
Bye,
Inverse
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: figuration doubt
Session-Timeout is a reply attribute, so it goes into radreply or radgroupreply table. Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, Osvaldohp [EMAIL PROTECTED] piše: I found a nice paper about freeradius+mysql, so far everything is installed and working fine. My guestion is which field of my radius database (db_mysql.sql) i have to put Session-Timeout attribute to limit the use of the Internet from my HotSpot users? Message sent using Prodepa Webmail 2.7.9 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius 1.1.6 and Cisco 2000 Wirelss Controller
He is not tunneling the request, just doing MAC auth. Problem is on the
controller. debug aaa on it and see why is VLAN override not working.
You are sure that override is on for that SSID?
Ivan Kalik
Kalik Informatika ISP
Dana 16/7/2007, Brian Ertel [EMAIL PROTECTED] piše:
Alan,
I did not modify this file at all
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# $Id: eap.conf,v 1.4.4.3 2006/04/28 18:25:03 aland Exp $
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = md5
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to yes, you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments. See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System' authentication is impossible with LEAP.
#
leap {
}
# Generic Token Card.
#
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module challenges the user with
# text, and the response from the user is taken to be
# the User-Password.
#
# Proxying the tunneled EAP-GTC session is a bad idea,
# the users password will go over the wire in plain-text,
# for anyone to see.
#
gtc {
# The default challenge, which many clients
# ignore..
#challenge = Password:
# The plain-text response which comes back
# is put into a User-Password attribute,
# and passed to another module for
# authentication. This allows the EAP-GTC
# response to be checked against plain-text,
# or crypt'd passwords.
#
# If you say Local instead of PAP, then
# the module will look for a User-Password
# configured for the request, and do the
Re: FreeRadius MySQL - Logs (where they are?)
Hello Alan, Yes, I know that this kind of log is put in /var/log/radius/radius.log. The problem is that they are not been logged there. It's a configuration in radiusd.conf? I could not find this... Can you tell me what tag? Alan DeKok escreveu: Nataniel Klug wrote: I have configured my FreeRadius server to auth my clients over a MySQL table. The problem is that I do not have any more logs (like wrong login attempts). The detailed log is been done into a MySQL table named radacct (and works fine to bloqs simultaneous use) but the problem is that I cant see anymore why a login attempt gets rejected. Can someone tell me where to look? The logs are put in the file radius.log, not in SQL. See radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Esta mensagem foi verificada pelo antivirus e antispam e acredita-se nao se tratar de nenhum dos dois. Sistema de email Cyber Nett - v2.0 -- Att, NATANIEL KLUG [EMAIL PROTECTED] Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis. Visconde de Taunay -- Esta mensagem foi verificada pelo antivirus e antispam e acredita-se nao se tratar de nenhum dos dois. Sistema de email Cyber Nett - v2.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MySQL - Logs (where they are?)
auth_log Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, Nataniel Klug [EMAIL PROTECTED] piše: Hello Alan, Yes, I know that this kind of log is put in /var/log/radius/radius.log. The problem is that they are not been logged there. It's a configuration in radiusd.conf? I could not find this... Can you tell me what tag? Alan DeKok escreveu: Nataniel Klug wrote: I have configured my FreeRadius server to auth my clients over a MySQL table. The problem is that I do not have any more logs (like wrong login attempts). The detailed log is been done into a MySQL table named radacct (and works fine to bloqs simultaneous use) but the problem is that I cant see anymore why a login attempt gets rejected. Can someone tell me where to look? The logs are put in the file radius.log, not in SQL. See radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Esta mensagem foi verificada pelo antivirus e antispam e acredita-se nao se tratar de nenhum dos dois. Sistema de email Cyber Nett - v2.0 -- Att, NATANIEL KLUG [EMAIL PROTECTED] Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coraçăo tangível e podem, por vezes, usar da cięncia como meio de demonstrar impressőes sentimentais de que muitos năo os julgam suscetíveis. Visconde de Taunay -- Esta mensagem foi verificada pelo antivirus e antispam e acredita-se nao se tratar de nenhum dos dois. Sistema de email Cyber Nett - v2.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MySQL - Logs (where they are?)
Nataniel Klug wrote: Yes, I know that this kind of log is put in /var/log/radius/radius.log. The problem is that they are not been logged there. If the server starts, it prints text to that file. If the file is empty, the server isn't running as a daemon. If you're running in debugging mode, all output goes to the screen. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cisco redirect from freeradius
hi freeradius people, I want to redirect http traffic for some users in a cisco NAS. Is there any way to do this ? maybe with some VSA thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration doubt
On Monday 16 July 2007 08:05:15 Alan DeKok wrote: Osvaldohp wrote: This is my users file: mike Auth-Type = System, User-Password == mike Session-Timeout := 3600, What i am doing wrong? You're telling the server to look in /etc/passwd for the users password, and then also telling it what the users password is. Don't set Auth-Type. Use 1.1.6. Use Cleartext-Password, not User-Password, as suggested in the FAQ. Alan DeKok. Don't forget to use the ':=' operator for the Cleartext-Password attribute, in addition to all of the above. -Kevin signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: figuration doubt
On Monday 16 July 2007 09:40:48 Osvaldohp wrote: I found a nice paper about freeradius+mysql, so far everything is installed and working fine. My guestion is which field of my radius database (db_mysql.sql) i have to put Session-Timeout attribute to limit the use of the Internet from my HotSpot users? Session-Timeout is a reply item, so it can go into the user or group reply item tables. Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql accounting connect speeds
I need to log connect speeds from users
At any rate things working fine from our own carrier globalpops to capture
these on the start packet
but Yournetplus for some reason it doesn't work.
I see this info in the update accounting packet so i thought I would modify the
update query but It gives errors
anyone know why this is wrong.. it stops right at the AscendDataRate ='26400'
for example then nothing after
Trying to gather the Ascend-Data-Rate and USR-Connect-Speed
accounting_update_query = UPDATE ${acct_table1} \
SET FramedIPAddress = '%{Framed-IP-Address}', \
AcctSessionTime = '%{Acct-Session-Time}', \
AcctInputOctets = '%{Acct-Input-Octets}', \
AcctOutputOctets = '%{Acct-Output-Octets}' \
AscenDataRate = '%{Ascend-Xmit-Rate}' \
USRConnectSpeed = '%{USR-Connect-Speed}' \
WHERE AcctSessionId = '%{Acct-Session-Id}' \
AND UserName = '%{SQL-User-Name}' \
AND NASIPAddress= '%{NAS-IP-Address}'-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and User-Password from Cisco Device
:) No because with other devices, the proxy works fine !! I don 't understand why it doesn't work :( Selon Peter Nixon [EMAIL PROTECTED]: On Mon 16 Jul 2007, [EMAIL PROTECTED] wrote: The shared secret is the same because I use a radius Proxy and this proxy forwards the access-request to my radius server. The problem is the password ! With a password in plain text (Check with H3C 2811 and Cisco 2960 equipmnents). Then you have the shared secret wrong between your proxy and your radius server. -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting connect speeds
And the errors are?
Ivan Kalik
Kalik Informatika ISP
Dana 16/7/2007, Jeff [EMAIL PROTECTED] piše:
I need to log connect speeds from users
At any rate things working fine from our own carrier globalpops to capture
these on the start packet
but Yournetplus for some reason it doesn't work.
I see this info in the update accounting packet so i thought I would modify
the update query but It gives errors
anyone know why this is wrong.. it stops right at the AscendDataRate ='26400'
for example then nothing after
Trying to gather the Ascend-Data-Rate and USR-Connect-Speed
accounting_update_query = UPDATE ${acct_table1} \
SET FramedIPAddress = '%{Framed-IP-Address}', \
AcctSessionTime = '%{Acct-Session-Time}', \
AcctInputOctets = '%{Acct-Input-Octets}', \
AcctOutputOctets = '%{Acct-Output-Octets}' \
AscenDataRate = '%{Ascend-Xmit-Rate}' \
USRConnectSpeed = '%{USR-Connect-Speed}' \
WHERE AcctSessionId = '%{Acct-Session-Id}' \
AND UserName = '%{SQL-User-Name}' \
AND NASIPAddress= '%{NAS-IP-Address}'
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuration doubt
I have a hotSpot that give access to the internet for my users. I use IPCOP with advproxy addon like a point controller. So when a user try to aceess the internet IPCOP (advproxy) ask for a username and password and then try to authenticate the user in the radius server. Everything is great so far my only problem is i can't limit the user to access the internet using Session-timeout attribute. I really don't know what i have to do now. Can someone help me? Message sent using Prodepa Webmail 2.7.9 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and User-Password from Cisco Device
Check then secret in clents.conf on the proxy and Cisco device radius key. They are not the same then. Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: :) No because with other devices, the proxy works fine !! I don 't understand why it doesn't work :( Selon Peter Nixon [EMAIL PROTECTED]: On Mon 16 Jul 2007, [EMAIL PROTECTED] wrote: The shared secret is the same because I use a radius Proxy and this proxy forwards the access-request to my radius server. The problem is the password ! With a password in plain text (Check with H3C 2811 and Cisco 2960 equipmnents). Then you have the shared secret wrong between your proxy and your radius server. -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration doubt
Help you with what? If you managed to add the password to the check table what could be the problem in adding Session-Timeout to the reply table? Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, Osvaldohp [EMAIL PROTECTED] piše: I have a hotSpot that give access to the internet for my users. I use IPCOP with advproxy addon like a point controller. So when a user try to aceess the internet IPCOP (advproxy) ask for a username and password and then try to authenticate the user in the radius server. Everything is great so far my only problem is i can't limit the user to access the internet using Session-timeout attribute. I really don't know what i have to do now. Can someone help me? Message sent using Prodepa Webmail 2.7.9 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting connect speeds
Mon Jul 16 11:23:22 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting
ALIVE record - You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'AscendDataRate = '24000' USRConnectSpeed = '' WHERE
AcctSess' at line 1
Mon Jul 16 11:23:24 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting
ALIVE record - You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'AscendDataRate = '19200' USRConnectSpeed = '' WHERE
AcctSess' at line 1
Mon Jul 16 11:23:37 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting
ALIVE record - You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'AscendDataRate = '19200' USRConnectSpeed = '' WHERE
AcctSess' at line 1
Mon Jul 16 11:23:42 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting
ALIVE record - You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'AscendDataRate = '19200' USRConnectSpeed = '' WHERE
AcctSess' at line 1
_
From: [EMAIL PROTECTED]
To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED]
Sent: Mon, 16 Jul 2007 11:06:28 -0400
Subject: Re: mysql accounting connect speeds
And the errors are?
Ivan Kalik
Kalik Informatika ISP
Dana 16/7/2007, Jeff [EMAIL PROTECTED] piše:
I need to log connect speeds from users
At any rate things working fine from our own carrier globalpops to capture
these on the start packet
but Yournetplus for some reason it doesn't work.
I see this info in the update accounting packet so i thought I would modify
the update query but It gives errors
anyone know why this is wrong.. it stops right at the AscendDataRate ='26400'
for example then nothing after
Trying to gather the Ascend-Data-Rate and USR-Connect-Speed
accounting_update_query = UPDATE ${acct_table1} \
SET FramedIPAddress = '%{Framed-IP-Address}', \
AcctSessionTime = '%{Acct-Session-Time}', \
AcctInputOctets = '%{Acct-Input-Octets}', \
AcctOutputOctets = '%{Acct-Output-Octets}' \
AscenDataRate = '%{Ascend-Xmit-Rate}' \
USRConnectSpeed = '%{USR-Connect-Speed}' \
WHERE AcctSessionId = '%{Acct-Session-Id}' \
AND UserName = '%{SQL-User-Name}' \
AND NASIPAddress= '%{NAS-IP-Address}'
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 1.1.7 %{foo:-0} syntax?
Alan DeKok said:
Hugh Messenger wrote:
Does 1.1.7 use the newer %{%{foo}:-0} or the older %{foo:-0} format?
It uses the old format.
OK, the reason I asked was that the sql.conf in the 1.1.7 from the day I
posted that question had the new format, but that appears to have been fixed
in todays update.
Alan DeKok.
-- hugh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and User-Password from Cisco Device
I'm so sorry ! the Problem was the secret between proxy and the Cisco Device. Enven if the secret is different, the access-request is forwarded to the radius server, I didn't know that :( Thank you very much!!! Nicolas. Selon [EMAIL PROTECTED]: Check then secret in clents.conf on the proxy and Cisco device radius key. They are not the same then. Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] pi¹e: :) No because with other devices, the proxy works fine !! I don 't understand why it doesn't work :( Selon Peter Nixon [EMAIL PROTECTED]: On Mon 16 Jul 2007, [EMAIL PROTECTED] wrote: The shared secret is the same because I use a radius Proxy and this proxy forwards the access-request to my radius server. The problem is the password ! With a password in plain text (Check with H3C 2811 and Cisco 2960 equipmnents). Then you have the shared secret wrong between your proxy and your radius server. -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mysql accounting connect speeds
Yes, and the AscendDataRate too.
I get the inserts fine on the start packet and the data goes right in as
suppose too.
all works fine this way for our GlobalPOPS and all data shows up and into sql
using this line in the start
---
accounting_start_query = INSERT into ${acct_table1} (AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start,
ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay, AscendDataRate, USRConnectSpeed,
AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '',
'0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
'%{Acct-Delay-Time}', '%{Ascend-Xmit-Rate}', '%{USR-Connect-Speed}', '0')
---
data goes right into mysql tables
But YNP for some reason most miss the start, so I thought maybe I could grab
them on the update query cause i see one or the other on in update packet, for
ynp so then i would have what i need, but as i stated this errors out with the
error i mentioned below trying to do this
Jeff
_
From: Hugh Messenger [mailto:[EMAIL PROTECTED]
To: 'FreeRadius users mailing list' [mailto:[EMAIL PROTECTED]
Sent: Mon, 16 Jul 2007 11:40:53 -0400
Subject: RE: mysql accounting connect speeds
Jeff said:
USRConnectSpeed = '%{USR-Connect-Speed}' \
Did you actually add a USRConnectSpeed column to the radacct table? There
isn't one by default.
-- hugh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting connect speeds
Jeff wrote: Mon Jul 16 11:23:22 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting ALIVE record - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AscendDataRate = '24000' USRConnectSpeed = '' WHERE AcctSess' at line 1 You need a comma between data items: 'AscendDataRate = '24000', USRConnectSpeed ='' WHERE AcctSess' ^^^ -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : How to configure EAP Identity in 1.1.3
Check on your AP, client.conf and naslist == Benjamin K. Eshun - Message d'origine De : Govardhana K N [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Lundi, 16 Juillet 2007, 13h28mn 28s Objet : How to configure EAP Identity in 1.1.3 I changed it but the same error is still coming. On 7/16/07, Eshun Benjamin [EMAIL PROTECTED] wrote: You have misconfigured the Nas-Identifier govardhana Nas-Identifier == nas, Nas-Port-Type == 15 You haveNAS-Identifier = jrcnas == Benjamin K. Eshun - Message d'origine De : Govardhana K N [EMAIL PROTECTED] À : FreeRadius freeradius-users@lists.freeradius.org Envoyé le : Lundi, 16 Juillet 2007, 12h24mn 09s Objet : How to configure EAP Identity in 1.1.3 Hi, I was trying to configure FreeRadius server with EAP authentication. AS mentioned in eap.conf, I didn't change the Auth-Type, but I was sending a EAP message, and Message-Authenticator attributes in Access-Request. When i tried sending an Access-Request with EAP-Message, I got the following error rlm_eap: Identity Unknown, authentication failed. How to configure the Identity for EAP? debug log from server: - Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/freeradius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/freeradius/freeradius.pid main: bind_address = 127.0.0.1 IP address [127.0.0.1] main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = no exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = /etc/passwd unix: shadow = /etc/shadow unix: group = /etc/group unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/freeradius/huntgroups preprocess: hints = /etc/freeradius/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no
Re: 1.1.7 %{foo:-0} syntax?
On Mon 16 Jul 2007, Hugh Messenger wrote:
Alan DeKok said:
Hugh Messenger wrote:
Does 1.1.7 use the newer %{%{foo}:-0} or the older %{foo:-0} format?
It uses the old format.
OK, the reason I asked was that the sql.conf in the 1.1.7 from the day I
posted that question had the new format, but that appears to have been
fixed in todays update.
Yep. That was my mistake. I found it during testing today.
--
Peter Nixon
http://peternixon.net/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MySQL - Logs (where they are?)
Thanks Alan, I found the solution. Alan DeKok escreveu: Nataniel Klug wrote: Yes, I know that this kind of log is put in /var/log/radius/radius.log. The problem is that they are not been logged there. If the server starts, it prints text to that file. If the file is empty, the server isn't running as a daemon. If you're running in debugging mode, all output goes to the screen. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Esta mensagem foi verificada pelo antivirus e antispam e acredita-se nao se tratar de nenhum dos dois. Sistema de email Cyber Nett - v2.0 -- Att, NATANIEL KLUG [EMAIL PROTECTED] Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis. Visconde de Taunay -- Esta mensagem foi verificada pelo antivirus e antispam e acredita-se nao se tratar de nenhum dos dois. Sistema de email Cyber Nett - v2.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS restart without proper client logout on radius (mysql)
Hello all, I have a question: when a nas restart without sending client logout to the freeradius server the clients stay connected in radacct table (AcctStopTime=0). What can I do to solve this kind of problem? What could happen is that when a nas reboot my clients keep logged and when the nas start again they will get You are already logged in (simultaneous-use). -- Att, NATANIEL KLUG [EMAIL PROTECTED] Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coração tangível e podem, por vezes, usar da ciência como meio de demonstrar impressões sentimentais de que muitos não os julgam suscetíveis. Visconde de Taunay -- Esta mensagem foi verificada pelo antivirus e antispam e acredita-se nao se tratar de nenhum dos dois. Sistema de email Cyber Nett - v2.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting connect speeds
ok heres what i have now
accounting_update_query = UPDATE ${acct_table1} \
SET FramedIPAddress = '%{Framed-IP-Address}', \
AcctSessionTime = '%{Acct-Session-Time}', \
AcctInputOctets = '%{Acct-Input-Octets}', \
AcctOutputOctets = '%{Acct-Output-Octets}' \
AscendDataRate = '%{Ascend-Data-Rate}', \
USRConnectSpeed = '%{USR-Connect-Speed}' \
WHERE AcctSessionId = '%{Acct-Session-Id}' \
AND UserName = '%{SQL-User-Name}' \
AND NASIPAddress= '%{NAS-IP-Address}'
an heres the new error
Mon Jul 16 12:49:19 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting
ALIVE record - You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'AscendDataRate = '19200', USRConnectSpeed = '' WHERE
AcctSes' at line 1
Mon Jul 16 12:49:35 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting
ALIVE record - You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'AscendDataRate = '19200', USRConnectSpeed = '' WHERE
AcctSes' at line 1
Mon Jul 16 12:49:40 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting
ALIVE record - You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'AscendDataRate = '19200', USRConnectSpeed = '' WHERE
AcctSes' at line 1
Mon Jul 16 12:49:59 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting
ALIVE record - You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'AscendDataRate = '19200', USRConnectSpeed = '' WHERE
AcctSes' at line
_
From: Dennis Skinner [mailto:[EMAIL PROTECTED]
To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED]
Sent: Mon, 16 Jul 2007 11:59:34 -0400
Subject: Re: mysql accounting connect speeds
Jeff wrote:
Mon Jul 16 11:23:22 2007 : Error: rlm_sql (sql): Couldn't update SQL
accounting ALIVE record - You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right
syntax to use near 'AscendDataRate = '24000' USRConnectSpeed =
'' WHERE AcctSess' at line 1
You need a comma between data items:
'AscendDataRate = '24000', USRConnectSpeed ='' WHERE AcctSess'
^^^
--
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting connect speeds
Yes. You are missing commas before AscendDataRate and USRConnectSpeed expressions that you have added to the update query. Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, Dennis Skinner [EMAIL PROTECTED] piše: Jeff wrote: Mon Jul 16 11:23:22 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting ALIVE record - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AscendDataRate = '24000' USRConnectSpeed = '' WHERE AcctSess' at line 1 You need a comma between data items: 'AscendDataRate = '24000', USRConnectSpeed ='' WHERE AcctSess' ^^^ -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS restart without proper client logout on radius (mysql)
If they are getting that message then nastype in clients.conf is set to other which disables checkrad script and the checks are made only against the database. Change the nastype to the vendor of your NAS (if it is supported). Or simply delete all open entries older that the time your NAS rebooted. Ivan Kalik Kalik Informatika ISP Dana 16/7/2007, Nataniel Klug [EMAIL PROTECTED] piše: Hello all, I have a question: when a nas restart without sending client logout to the freeradius server the clients stay connected in radacct table (AcctStopTime=0). What can I do to solve this kind of problem? What could happen is that when a nas reboot my clients keep logged and when the nas start again they will get You are already logged in (simultaneous-use). -- Att, NATANIEL KLUG [EMAIL PROTECTED] Cyber Nett - Internet Banda Larga www.cnett.com.br (42) 3635-2957 Rua Diogo Pinto, 1046, Centro Laranjeiras do Sul - PR Brasil - 85301-290 ... também os sábios possuem coraçăo tangível e podem, por vezes, usar da cięncia como meio de demonstrar impressőes sentimentais de que muitos năo os julgam suscetíveis. Visconde de Taunay -- Esta mensagem foi verificada pelo antivirus e antispam e acredita-se nao se tratar de nenhum dos dois. Sistema de email Cyber Nett - v2.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting connect speeds
Jeff wrote:
AcctOutputOctets = '%{Acct-Output-Octets}' \
Need comma on live above. This is a MySQL issue, not a FR issue.
Please read the MySQL docs if you don't understand how to create a valid
query.
--
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting connect speeds
its not i do not understand its just these stupid bi-focals i have a hard time
seeing.
I overlooked that, sorry for being a blind idiot
_
From: Dennis Skinner [mailto:[EMAIL PROTECTED]
To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED]
Sent: Mon, 16 Jul 2007 13:54:02 -0400
Subject: Re: mysql accounting connect speeds
Jeff wrote:
AcctOutputOctets = '%{Acct-Output-Octets}' \
Need comma on live above. This is a MySQL issue, not a FR issue.
Please read the MySQL docs if you don't understand how to create a valid
query.
--
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS restart without proper client logout on radius (mysql)
On Monday 16 July 2007 12:37:08 Nataniel Klug wrote: Hello all, I have a question: when a nas restart without sending client logout to the freeradius server the clients stay connected in radacct table (AcctStopTime=0). What can I do to solve this kind of problem? What could happen is that when a nas reboot my clients keep logged and when the nas start again they will get You are already logged in (simultaneous-use). Your NAS should send an Accounting-On packet which you can use to flag the existing connections as offline/disconnected. You can also use checkrad to confirm the session is active. Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dictionary files 'encrypt' option
Hi, There are a few dictionary files in /freeradius-1.1.6/share/ directory. Some of the Attributes have 'encrypt' option with values 1 or 2. I tried putting 'encrypt=2' for an attribute in a packet that was meant to be proxied on port 1814. But after giving this value, the packet is being sent on 1812. I wanted to know what these values mean, and what are the other values that can be given. Can someone please help me with this? Thanks! Regards, - Kedar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS restart without proper client logout on radius (mysql)
[EMAIL PROTECTED] said: Dana 16/7/2007, Nataniel Klug [EMAIL PROTECTED] piše: Hello all, I have a question: when a nas restart without sending client logout to the freeradius server the clients stay connected in radacct table (AcctStopTime=0). What can I do to solve this kind of problem? What could happen is that when a nas reboot my clients keep logged and when the nas start again they will get You are already logged in (simultaneous-use). If they are getting that message then nastype in clients.conf is set to other which disables checkrad script and the checks are made only against the database. Change the nastype to the vendor of your NAS (if it is supported). Or simply delete all open entries older that the time your NAS rebooted. Shouldn't the NAS send one or both of accounting off/on, which (if the accounting_onoff_query is defined correctly) should set the AcctStopTime to now() (or %S depending on flavor)? Ivan Kalik Kalik Informatika ISP -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS restart without proper client logout on radius (mysql)
I don't think things like Mikrotik and Chillispot send such packets. I've never seen one from our Mikrotik which is rebotted once every week or two. I've never seen one from our Cisco either but that's because it hasn't been rebooted in last 18 months ;-) Ivan Kalik Kalik informatika ISP Dana 16/7/2007, Hugh Messenger [EMAIL PROTECTED] piše: [EMAIL PROTECTED] said: Dana 16/7/2007, Nataniel Klug [EMAIL PROTECTED] piše: Hello all, I have a question: when a nas restart without sending client logout to the freeradius server the clients stay connected in radacct table (AcctStopTime=0). What can I do to solve this kind of problem? What could happen is that when a nas reboot my clients keep logged and when the nas start again they will get You are already logged in (simultaneous-use). If they are getting that message then nastype in clients.conf is set to other which disables checkrad script and the checks are made only against the database. Change the nastype to the vendor of your NAS (if it is supported). Or simply delete all open entries older that the time your NAS rebooted. Shouldn't the NAS send one or both of accounting off/on, which (if the accounting_onoff_query is defined correctly) should set the AcctStopTime to now() (or %S depending on flavor)? Ivan Kalik Kalik Informatika ISP -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.1.7 problem with DEFAULT Auth-Type
I just had my first aborted attempt at running 1.1.7 on one of my live servers. Main problem is it just refuses to pick up the . DEFAULT Auth-Type = pam Fall-Through = 1 . in my users file, which is pretty much my entire users file, the only other entry is the standard PPP default entry. Everything else is in SQL. Unfortunately, I panicked after 5 mins of flailing around and reinstalled 1.1.6, and neglected to copy the -X output, which has since scrolled off the edge of the world. However, it definitely never printed any Matched entry DEFAULT lines, and complained that no Auth-Type was set. The same users file works fine in 1.1.6. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.1.7 MySQL postauth_query
I seem to recall having this problem when I first ran 1.1.6. The
postauth_query is:
postauth_query = INSERT into ${postauth_table} (id, user, pass,
reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', NOW())
. but MySQL barfs about an invalid 'id' value. Maybe this is down to my
schema . but surely, being an auto increment, we just don't need to specify
the 'id' in the INSERT?
I've modified it at my end to just be .
postauth_query = INSERT into ${postauth_table} (user, pass, reply,
date) values ('%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', NOW())
. which works fine.
-- hugh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.1.7 sqlippool %{SQL-User-Name}
Peter . as per your postgres 1.1.7 sqlippool queries, I changed the MySQL
ones to use %{SQL-User-Name} instead of %{User-Name} . only it doesn't seem
to pick up a value, so the UserName is coming up blank in the radippool
table.
Example:
sqlippool_expand: 'UPDATE radippool SET expiry_time = NOW() + INTERVAL
3600 SECOND WHERE NASIPAddress = '%{Nas-IP-Address}' AND pool_key =
'%{Calling-Station-Id}' AND UserName = '%{SQL-User-Name}' AND
CallingStationId = '%{Calling-Station-Id}' AND FramedIPAddress =
'%{Framed-IP-Address}''
radius_xlat: 'UPDATE radippool SET expiry_time = NOW() + INTERVAL 3600
SECOND WHERE NASIPAddress = '216.108.219.36' AND pool_key =
'00:14:6C:37:16:49' AND UserName = '' AND CallingStationId =
'00:14:6C:37:16:49' AND FramedIPAddress = '172.168.124.120''
This happens on both 1.1.6 and 1.1.7.
Should that be something like %{control:SQL-User-Name} ?
My apologies - I don't know how I missed this when testing yesterday. I
guess it returned an IP just fine, so I didn't actually look at what it was
doing too closely!
-- hugh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS restart without proper client logout on radius (mysql)
Hi Nataniel, If you have a NASty which doesn't send accounting-off when rebooting, I guess you have three options: 1) use checkrad script to test if the user is indeed logged in. The NASty should have a way to check for connected users or sessions by using snmp/telnet/etc. If you have many auth requests and many NAStys, it will consume a lot of CPU on both sides. Result: no angry customers, but high cpu usage and no billing 2) run every N minutes a script to get the list of connected users for every NASty. compare that list with the db entries and delete lost sessions from db. Result: low cpu usage, better billing (if your customers pay by time usage, you can still charge now() - N minutes - acct_start), but 'already logged in' will last N minutes (at most) 3) use petitiononline.com service to management with a subject Network.Access.Server.TY must be replaced with Network.Access.Upgraded.Good.Hardware.TY. Result: no problems at all. using good hardware is always the best option. You can implement all three options IN THE SAME TIME to minimize the impact. Best regards, Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 Monday, July 16, 2007, 7:37:08 PM, you wrote: Hello all, I have a question: when a nas restart without sending client logout to the freeradius server the clients stay connected in radacct table (AcctStopTime=0). What can I do to solve this kind of problem? What could happen is that when a nas reboot my clients keep logged and when the nas start again they will get You are already logged in (simultaneous-use). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dictionary files 'encrypt' option
Gaonkar, Kedar wrote: There are a few dictionary files in /freeradius-1.1.6/share/ directory. Some of the Attributes have 'encrypt' option with values 1 or 2. I tried putting 'encrypt=2' for an attribute in a packet that was meant to be proxied on port 1814. But after giving this value, the packet is being sent on 1812. Uh, no. The server doesn't work like that. The code that handles the encryption of attributes is completely independent of the code that does proxying. I wanted to know what these values mean, and what are the other values that can be given. Can someone please help me with this? $ man dictionary Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to configure EAP Identity in 1.1.3
Kedar, I have used response becoz, I will be sending a EAP-Identity reponse packet to the Radius Server. So the code field is not Request it should be Response. All, Thanks for the help. I was able send the EAP message with EAP-Type-Identity field. I have got an Access-Challenge response from the server, and the Access-Request sent in response to this challenge is failing (Access-Reject is sent by the server). Below i have given the debug log from the server, rad_recv: Access-Request packet from host 127.0.0.1:32825, id=60, length=113 User-Name = jrc User-Password = jrc NAS-Identifier = jrcnas NAS-Port-Type = Ethernet CUI = 0 Service-Type = Framed-User Framed-MTU = 1400 Calling-Station-Id = 1:1:1:1:1:1 Message-Authenticator = 0xaff453c7f7e3dc3639458de9740366a1 EAP-Message = 0x02d20008016a7263 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = jrc, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 210 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched entry DEFAULT at line 152 users: Matched entry jrc at line 179 modcall[authorize]: module files returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module eap returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 60 to 127.0.0.1 port 32825 CUI = jrccui Class = 0x6a7263636c617373 State = 0x6a72637374617465 Framed-MTU = 1400 Framed-IP-Address = 1.2.3.4 Service-Type = Framed-User Session-Timeout = 30 MS-MPPE-Send-Key = 0x6a72636d736b MS-MPPE-Recv-Key = 0x6a7263726563766d736b AAA-Session-Id = jrcmultisessionid HA-IP-MIP4 = 1.1.1.1 DHCPv4-Server = 2.2.2.2 MN-HA-MIP4-KEY = jrcmipkey MN-HA-MIP4-SPI = jrcmipspi DHCP-RK = jrcdhcprk DHCP-RK-KEY-ID = jrcdhcpkey DHCP-RK-LIFETIME = 20 EAP-Message = 0x01d300160410e0ccb378852f7a673815379d2f819db1 Message-Authenticator = 0x State = 0x8343fbb52835fa0fb7fb84cab7f7a0db Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32825, id=61, length=155 User-Name = jrc User-Password = jrc NAS-Identifier = jrcnas NAS-Port-Type = Ethernet CUI = 0 Service-Type = Framed-User Framed-MTU = 1400 Calling-Station-Id = 1:1:1:1:1:1 Message-Authenticator = 0x8dc52d59961b5eb7d8789f7cb4dbea5a State = 0x6a72637374617465 State = 0x8343fbb52835fa0fb7fb84cab7f7a0db EAP-Message = 0x02d300160410d3ab9cde585da0c10b343d38433fa0db Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_realm: No '@' in User-Name = jrc, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 2 rlm_eap: EAP packet type response id 211 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 2 users: Matched entry DEFAULT at line 152 users: Matched entry jrc at line 179 modcall[authorize]: module files returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 2 modcall: leaving group authenticate (returns invalid) for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request
Re: How to configure EAP Identity in 1.1.3
Govardhana K N wrote I have got an Access-Challenge response from the server, and the Access-Request sent in response to this challenge is failing (Access-Reject is sent by the server). Below i have given the debug log from the server, Are you writing a 802.1x supplicant? It looks like it. Also, note that the server does NOT support WiMAX attributes. You can create a WiMAX dictionary, but the attributes in the packet will NOT be in the WiMAX format. Also, many of the WiMAX attributes have sub-attributes, and those are definitely not supported. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure EAP Identity in 1.1.3
If that is the case, How can I add the WiMAX support in Free Radius? What are the changes I should make in order to have WiMAX support? On 7/17/07, Alan DeKok [EMAIL PROTECTED] wrote: Govardhana K N wrote I have got an Access-Challenge response from the server, and the Access-Request sent in response to this challenge is failing (Access-Reject is sent by the server). Below i have given the debug log from the server, Are you writing a 802.1x supplicant? It looks like it. Also, note that the server does NOT support WiMAX attributes. You can create a WiMAX dictionary, but the attributes in the packet will NOT be in the WiMAX format. Also, many of the WiMAX attributes have sub-attributes, and those are definitely not supported. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards, Govardhana K N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
