Will connection attempts from NAS' not in nas table be logged?
Hi Guys, Just a quick question, as the per the subject line : If my freeradius server receives a connection attempt from a NAS not listed in the NAS table (as specified in sql.conf : nas_table = nas), will that attempt appear in the radius.log, or would such information only appear in debug mode? Many thanks! Patric -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. -- Find out how you can get spam free email. http://www.bluebottle.com/tag/3 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Will connection attempts from NAS' not in nas table be logged?
Patric wrote: Hi Guys, Just a quick question, as the per the subject line : If my freeradius server receives a connection attempt from a NAS not listed in the NAS table (as specified in sql.conf : nas_table = nas), will that attempt appear in the radius.log, or would such information only appear in debug mode? Many thanks! Patric And then I go and answer my own question after further digging... radius.log:Thu Sep 6 09:46:55 2007 : Error: Ignoring request from unknown client xxx.xxx.xxx.xxx:x Sorry to have bothered everyone :] Thanks -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. -- Finally - A spam blocker that actually works. http://www.bluebottle.com/tag/4 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius to MSSQL connection
Hello, I have a problem connecting Freeradius to a mssql server. I installed FreeTLS and UNIXodbc and tested their connection to the mssql server and it worked. Please tell me what could be the problem ? radiusd -X reads: rlm_sql (sql): Driver rlm_sql_unixodbc (module rlm_sql_unixodbc) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #0 rlm_sql_unixodbc: Connection failed IM002 [unixODBC][Driver Manager]Data source name not found, and no default driver specified rlm_sql (sql): Failed to connect DB handle #0 Here is the working connection to mssql server : [EMAIL PROTECTED] ~]# tsql -H [IP-OF-MSSQL-SERVER] -p 1433 -U USERNAME -P PASSWORD locale is en_US.UTF-8 locale charset is UTF-8 1 quit [EMAIL PROTECTED] ~]# isql [IP-OF-MSSQL-SERVER] USERNAME PASSWORD +---+ | Connected!| | | | sql-statement | | help [tablename] | | quit | | | +---+ SQL quit [EMAIL PROTECTED] ~]# rpm -qa | grep freerad freeradius-1.0.5-1.2 Thanks Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when. http://tv.yahoo.com/collections/222 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange behaviour of rlm_chap (freeradius 1.1.7+mysql)
Hi, Hello? Is there anybody out there? Can someone who knows how CHAP works please explain to me how this could be happening? Does a CHAP challenge time-out after a certain amount of time? Does the rlm_chap module hold a copy of old CHAP challenge's and prevent the same one being re-used to stop replay attacks? If so how do I switch this off? Anyone? Anything? Dan... Thursday, August 30, 2007, 3:08:16 PM, you wrote: Hi, I've been running a free radius server for a while now, but today for no apparent reason I'm getting a lot of intermittent authentication failures using the rlm_chap module. Here's a trace of two login's the first works fine, the second a few moments later fails, the username and password supplied in both cases are correct and exactly the same. Can anyone shed any light on this? I've tried rebuilding the mysql database from scratch, and recompiling and installing the radius server, but to no avail... rad_recv: Access-Request packet from host 81.178.20.107:1024, id=25, length=204 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 00:14:A4:87:DF:FF Called-Station-Id = rural-ap1 NAS-Port-Id = wlan2 User-Name = [EMAIL PROTECTED] NAS-Port = 2149580817 Acct-Session-Id = 80200011 Framed-IP-Address = 10.5.50.254 Mikrotik-Host-IP = 10.5.50.254 CHAP-Challenge = 0xx[removed] CHAP-Password = 0xx[removed] Service-Type = Login-User WISPr-Logoff-URL = http://10.5.50.1/logout; NAS-Identifier = rural-ap1 NAS-IP-Address = 10.0.0.249 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 3 users: Matched entry DEFAULT at line 54 radius_xlat: '/usr/local/bin/mtauth.pl [EMAIL PROTECTED]' modcall[authorize]: module files returns ok for request 3 radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module sql returns ok for request 3 modcall: leaving group authorize (returns ok) for request 3 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 3 rlm_chap: login attempt by [EMAIL PROTECTED] with CHAP password rlm_chap: Using clear text password xxx for user [EMAIL PROTECTED] authentication. rlm_chap: chap user [EMAIL PROTECTED] authenticated succesfully modcall[authenticate]: module chap returns ok for request 3 modcall: leaving group CHAP (returns ok) for request 3 Exec-Program output: Session-Timeout=1173, Mikrotik-Xmit-Limit=1073222818, Mikrotik-Recv-Limit=1073515121, Exec-Program-Wait: value-pairs: Session-Timeout=1173, Mikrotik-Xmit-Limit=1073222818, Mikrotik-Recv-Limit=1073515121, Exec-Program: returned: 0 Sending
Re: Strange behaviour of rlm_chap (freeradius 1.1.7+mysql)
And how can anyone help? You have deleted the most relevant parts of the debug (CHAP attributes and the password, which, according to the server, are not the same in both cases). If you don't want to use data from a real user, create a test one and post that. Ivan Kalik Kalik Informatika ISP Dana 6/9/2007, Dan Searle [EMAIL PROTECTED] piše: Hi, Hello? Is there anybody out there? Can someone who knows how CHAP works please explain to me how this could be happening? Does a CHAP challenge time-out after a certain amount of time? Does the rlm_chap module hold a copy of old CHAP challenge's and prevent the same one being re-used to stop replay attacks? If so how do I switch this off? Anyone? Anything? Dan... Thursday, August 30, 2007, 3:08:16 PM, you wrote: Hi, I've been running a free radius server for a while now, but today for no apparent reason I'm getting a lot of intermittent authentication failures using the rlm_chap module. Here's a trace of two login's the first works fine, the second a few moments later fails, the username and password supplied in both cases are correct and exactly the same. Can anyone shed any light on this? I've tried rebuilding the mysql database from scratch, and recompiling and installing the radius server, but to no avail... rad_recv: Access-Request packet from host 81.178.20.107:1024, id=25, length=204 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 00:14:A4:87:DF:FF Called-Station-Id = rural-ap1 NAS-Port-Id = wlan2 User-Name = [EMAIL PROTECTED] NAS-Port = 2149580817 Acct-Session-Id = 80200011 Framed-IP-Address = 10.5.50.254 Mikrotik-Host-IP = 10.5.50.254 CHAP-Challenge = 0xx[removed] CHAP-Password = 0xx[removed] Service-Type = Login-User WISPr-Logoff-URL = http://10.5.50.1/logout; NAS-Identifier = rural-ap1 NAS-IP-Address = 10.0.0.249 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 3 users: Matched entry DEFAULT at line 54 radius_xlat: '/usr/local/bin/mtauth.pl [EMAIL PROTECTED]' modcall[authorize]: module files returns ok for request 3 radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module sql returns ok for request 3 modcall: leaving group authorize (returns ok) for request 3 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 3 rlm_chap: login attempt by [EMAIL PROTECTED] with CHAP password rlm_chap: Using clear text password xxx for user [EMAIL PROTECTED] authentication. rlm_chap: chap user [EMAIL PROTECTED] authenticated succesfully modcall[authenticate]: module chap returns ok for request 3 modcall:
Re[2]: Strange behaviour of rlm_chap (freeradius 1.1.7+mysql)
Hi, I can assure you the password is exactly the same in both cases. I'll try and setup a test user later on and post the results. But the passwords in the two traces I posted below were the same. Dan... Thursday, September 6, 2007, 10:47:34 AM, you wrote: And how can anyone help? You have deleted the most relevant parts of the debug (CHAP attributes and the password, which, according to the server, are not the same in both cases). If you don't want to use data from a real user, create a test one and post that. Ivan Kalik Kalik Informatika ISP Dana 6/9/2007, Dan Searle [EMAIL PROTECTED] piše: Hi, Hello? Is there anybody out there? Can someone who knows how CHAP works please explain to me how this could be happening? Does a CHAP challenge time-out after a certain amount of time? Does the rlm_chap module hold a copy of old CHAP challenge's and prevent the same one being re-used to stop replay attacks? If so how do I switch this off? Anyone? Anything? Dan... Thursday, August 30, 2007, 3:08:16 PM, you wrote: Hi, I've been running a free radius server for a while now, but today for no apparent reason I'm getting a lot of intermittent authentication failures using the rlm_chap module. Here's a trace of two login's the first works fine, the second a few moments later fails, the username and password supplied in both cases are correct and exactly the same. Can anyone shed any light on this? I've tried rebuilding the mysql database from scratch, and recompiling and installing the radius server, but to no avail... rad_recv: Access-Request packet from host 81.178.20.107:1024, id=25, length=204 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 00:14:A4:87:DF:FF Called-Station-Id = rural-ap1 NAS-Port-Id = wlan2 User-Name = [EMAIL PROTECTED] NAS-Port = 2149580817 Acct-Session-Id = 80200011 Framed-IP-Address = 10.5.50.254 Mikrotik-Host-IP = 10.5.50.254 CHAP-Challenge = 0xx[removed] CHAP-Password = 0xx[removed] Service-Type = Login-User WISPr-Logoff-URL = http://10.5.50.1/logout; NAS-Identifier = rural-ap1 NAS-IP-Address = 10.0.0.249 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 3 users: Matched entry DEFAULT at line 54 radius_xlat: '/usr/local/bin/mtauth.pl [EMAIL PROTECTED]' modcall[authorize]: module files returns ok for request 3 radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module sql returns ok for request 3 modcall: leaving group authorize (returns ok) for request 3 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 3 rlm_chap: login attempt by
Re: Freeradius to MSSQL connection
Pretty Woman wrote: I have a problem connecting Freeradius to a mssql server. ... rlm_sql_unixodbc: Connection failed IM002 [unixODBC][Driver Manager]Data source name not found, and no default driver specified See the Unixodbc documentation for the meaning of those errors. [EMAIL PROTECTED] ~]# rpm -qa | grep freerad freeradius-1.0.5-1.2 sigh That version is YEARS out of date. Why are you using it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[4]: Strange behaviour of rlm_chap (freeradius 1.1.7+mysql)
Hi, No, again I can assure you that the same password is sent in both cases, and it matches the password on the server (stored in clear text). Thursday, September 6, 2007, 11:04:12 AM, you wrote: Password on the server is most likely the same. Password sent most likely isn't. Ivan Kalik Kalik Informatika ISP Dana 6/9/2007, Dan Searle [EMAIL PROTECTED] piše: Hi, I can assure you the password is exactly the same in both cases. I'll try and setup a test user later on and post the results. But the passwords in the two traces I posted below were the same. Dan... Thursday, September 6, 2007, 10:47:34 AM, you wrote: And how can anyone help? You have deleted the most relevant parts of the debug (CHAP attributes and the password, which, according to the server, are not the same in both cases). If you don't want to use data from a real user, create a test one and post that. Ivan Kalik Kalik Informatika ISP Dana 6/9/2007, Dan Searle [EMAIL PROTECTED] piše: Hi, Hello? Is there anybody out there? Can someone who knows how CHAP works please explain to me how this could be happening? Does a CHAP challenge time-out after a certain amount of time? Does the rlm_chap module hold a copy of old CHAP challenge's and prevent the same one being re-used to stop replay attacks? If so how do I switch this off? Anyone? Anything? Dan... Thursday, August 30, 2007, 3:08:16 PM, you wrote: Hi, I've been running a free radius server for a while now, but today for no apparent reason I'm getting a lot of intermittent authentication failures using the rlm_chap module. Here's a trace of two login's the first works fine, the second a few moments later fails, the username and password supplied in both cases are correct and exactly the same. Can anyone shed any light on this? I've tried rebuilding the mysql database from scratch, and recompiling and installing the radius server, but to no avail... rad_recv: Access-Request packet from host 81.178.20.107:1024, id=25, length=204 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 00:14:A4:87:DF:FF Called-Station-Id = rural-ap1 NAS-Port-Id = wlan2 User-Name = [EMAIL PROTECTED] NAS-Port = 2149580817 Acct-Session-Id = 80200011 Framed-IP-Address = 10.5.50.254 Mikrotik-Host-IP = 10.5.50.254 CHAP-Challenge = 0xx[removed] CHAP-Password = 0xx[removed] Service-Type = Login-User WISPr-Logoff-URL = http://10.5.50.1/logout; NAS-Identifier = rural-ap1 NAS-IP-Address = 10.0.0.249 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 3 users: Matched entry DEFAULT at line 54 radius_xlat: '/usr/local/bin/mtauth.pl [EMAIL PROTECTED]' modcall[authorize]: module files returns ok for request 3 radius_xlat: '[EMAIL PROTECTED]' rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '[EMAIL PROTECTED]' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id' rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '[EMAIL PROTECTED]' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName = radgroupreply.GroupName ORDER
how to configure MNID in the access accept response packet?
Hey guys , Throw some light on how to configure MNID to be send in the access accept response packet to the client for wireless networks authentication if AT hardware identifier is sent to the server as vendor specific information. - Why delete messages? Unlimited storage is just a click away.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LSB initscript compliance
Hi all, I'd like to integrate FR 1.1.7 installation with Heartbeat-2 but it seems that the initscript /etc/init.d/freeradius is not LSB compliant, so integration is not straightforward. Is there anybody working on this (very small) issue? Greetings, Francesco. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange behaviour of rlm_chap (freeradius 1.1.7+mysql)
Dan Searle wrote: Hello? Is there anybody out there? Are you going to read previous responses on this list? http://lists.freeradius.org/pipermail/freeradius-users/2007-August/065807.html Can someone who knows how CHAP works please explain to me how this could be happening? See the previous message. Does a CHAP challenge time-out after a certain amount of time? Does the rlm_chap module hold a copy of old CHAP challenge's and prevent the same one being re-used to stop replay attacks? No, and no. Try it using radclient. Take the attributes printed out in debugging mode from the Access-Request, and put them into a file. Replace the CHAP-Password hex stuff with the real password (radclient will do the CHAP hashing). Use radclient to send the packet to the server... multiple times a) you see the same thing: bad RAM or memory corruption b) radclient always works: throw away your NAS and buy one that works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LSB initscript compliance
Francesco Cristofori wrote: Hi all, I'd like to integrate FR 1.1.7 installation with Heartbeat-2 but it seems that the initscript /etc/init.d/freeradius is not LSB compliant, so integration is not straightforward. What isn't compliant? Is there anybody working on this (very small) issue? Nope. Send a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dialup admin online user page real online user different
Hello, I have a freeradius 1.1.7 server setup with ppp and pptp using a mysql DB for user authentication. dialup admin web Online Users page == 5 online real online pptp user === 7 online Why different? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup admin online user page real online user different
O/H hyunok έγραψε: Hello, I have a freeradius 1.1.7 server setup with ppp and pptp using a mysql DB for user authentication. dialup admin web Online Users page == 5 online real online pptp user === 7 online Why different? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Dialupadmin will only show you what the database is telling it (unless you have a nas supporting the aaa-session-mib in which case it can first query the nas for the online users list). You can enable sql debug to see the sql queries run. -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
I want to use the result from a sql query in something like this:
...
switch %{sqlnastype:SELECT nas.type FROM `nas` WHERE
nas.nasname ='%{NAS-IP-Address}'} {
case Cisco {
...
It works, and it is a great feature.
The point is, it seems to work only if there is an
authorize_check_query and a authorize_reply_query in the sql module.
So I have to setup an authorize_reply_query with UserName,Attr Nam,
Attr Value, Op, although I am only interested in the answer to the query
above, which might be Cisco, Entrasys or something like that.
Is there a way to avoid such an authorize_reply_query or even the
authorize_check_query?
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: LSB initscript compliance
What isn't compliant? The script /etc/init.d/freeradius is not compliant with these guidelines: http://www.linuxbase.org/spec/refspecs/LSB_3.0.0/LSB-Core-generic/LSB-Co re-generic/iniscrptact.html The script does not implement the status action and isn't compliant to the behavour described in the docs above. Is there anybody working on this (very small) issue? Nope. Send a patch. Ok, I'll write it asap. Alan DeKok. Francesco. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LSB initscript compliance
Francesco Cristofori wrote: I'd like to integrate FR 1.1.7 installation with Heartbeat-2 but it seems that the initscript /etc/init.d/freeradius is not LSB compliant, so integration is not straightforward. Is there anybody working on this (very small) issue? I've written an initscript with the LSB functions for the Debian package. You may look at debian/freeradius.init in CVS head. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
can't start radius
Hi all When starting the radius, the error is showing the file size is exceeding check /var/log/freeradius/radwtmp is 2G 1/ how can I avoid it but we still keep the log file? 2/ ls the limitation in linux or in freeradius program? if it is in linux, can I increase the file size limit? I am using debian thank you Moody friends. Drama queens. Your life? Nope! - their life, your story. Play Sims Stories at Yahoo! Games. http://sims.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can't start radius
Hi, Hi all When starting the radius, the error is showing the file size is exceeding check /var/log/freeradius/radwtmp is 2G 1/ how can I avoid it but we still keep the log file? 2/ ls the limitation in linux or in freeradius program? if it is in linux, can I increase the file size limit? I am using debian which version of freeradius, did you compile it yourself? 2Gb is the standard 32bit service limit - freeradius can be compiled to support larger files - but otherwise you'll just have to move that file out of the way...why do you need to keep it? log archives? if so, just archive it alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CA.all problem
Hi, Using the provided script CA.all, trying to create self-signed certs on a new freeradius box and running into a missing serial file problem. Executing the commands in the script line-by-line shows that the command openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem is what is looking for the file ./demoCA/serial which does not exist. I think it is normally created during CA.pl -newca but this doesn't appear to happen with the script's command of echo newreq.pem | /usr/local/ssl/misc/CA.pl -newca. I'm using OpenSSL version 0.9.8e. Anyone have this experience? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: LSB initscript compliance
Francesco Cristofori schrieb: What isn't compliant? The script /etc/init.d/freeradius is not compliant with these guidelines: http://www.linuxbase.org/spec/refspecs/LSB_3.0.0/LSB-Core-generic/LSB-Co re-generic/iniscrptact.html The script does not implement the "status" action and isn't compliant to the behavour described in the docs above. Is there anybody working on this (very small) issue? Nope. Send a patch. Ok, I'll write it asap. Alan DeKok. Francesco. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi, if you write a patch, why don't you implement all of the ocf features? radtest would be useful for the monitor part. Would be fun. Thanks. Michael. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CA.all problem
On Thu, 2007-09-06 at 13:56 -0400, Mack Ragan wrote: Hi, Using the provided script CA.all, trying to create self-signed certs on a new freeradius box and running into a missing serial file problem. Executing the commands in the script line-by-line shows that the command openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem is what is looking for the file ./demoCA/serial which does not exist. I think it is normally created during CA.pl -newca but this doesn't appear to happen with the script's command of echo newreq.pem | /usr/local/ssl/misc/CA.pl -newca. I'm using OpenSSL version 0.9.8e. Anyone have this experience? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Check this site out to answer your question http://www.tc.umn.edu/~brams006/selfsign.html dutch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CA.all problem
Mack Ragan wrote: Using the provided script CA.all, trying to create self-signed certs on a new freeradius box and running into a missing serial file problem. Executing the commands in the script line-by-line shows that the command openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem is what is looking for the file ./demoCA/serial which does not exist. I think it is normally created during CA.pl -newca but this doesn't appear to happen with the script's command of echo newreq.pem | /usr/local/ssl/misc/CA.pl -newca. I'm using OpenSSL version 0.9.8e. Anyone have this experience? OpenSSL has changed the way their scripts run a number of times. I've pretty mich given up trying to keep up. Instead, use the certificate generation tools in 2.0.0-pre2. They're simple and easy to use. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CA.all problem
Thanks Alan. I have actually figured out some openssl commands that seem to have worked ok for me. I'll post them a little later for what it's worth to anyone. Alan DeKok wrote: Mack Ragan wrote: Using the provided script CA.all, trying to create self-signed certs on a new freeradius box and running into a missing serial file problem. Executing the commands in the script line-by-line shows that the command openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem is what is looking for the file ./demoCA/serial which does not exist. I think it is normally created during CA.pl -newca but this doesn't appear to happen with the script's command of echo newreq.pem | /usr/local/ssl/misc/CA.pl -newca. I'm using OpenSSL version 0.9.8e. Anyone have this experience? OpenSSL has changed the way their scripts run a number of times. I've pretty mich given up trying to keep up. Instead, use the certificate generation tools in 2.0.0-pre2. They're simple and easy to use. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reject_delay setting effecting Access-Accept responses
Has anyone seen the reject_delay setting in radiusd.conf effect the response time to subsequent access-accept responses? I haven't seen anything on this in the mailing list, but I wanted to check before I look into the code. Thanks, --Roy // /* Roy Hockett * Telephone: (734) 763-7325*/ /* Network Engineer, * FAX: (734) 615-1727*/ /* ITCom, *Internet: [EMAIL PROTECTED] */ /* University of Michigan **/ // - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reject_delay setting effecting Access-Accept responses
Roy D. Hockett wrote: Has anyone seen the reject_delay setting in radiusd.conf effect the response time to subsequent access-accept responses? It doesn't affect Access-Accepts. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radcheck problem
Hi,
I want a specific user (call him john) NOT to be able to login through a
specific nas.
So I thought, just add this to radcheck
INSERT INTO `radcheck` (`UserName`, `Attribute`, `op`, `Value`) VALUES
('john','NASIdentifier','!=','nas-id')
(nas-id is the nasidentifier of the specific nas)
Anyway, when I add this entry to radcheck, john gets rejected all the time,
no matter what nas he's connecting to.
Am I overlooking something?
Kind regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
